Cybersecurity Law, Standards and Regulations [2 ed.] 1944480560, 9781944480561

Table of contents :
Cover
Title page
Copyright
Dedication
Acknowledgments
Foreword
Foreword 2
Contents
Introduction to the 2nd Edition
Chapter 1 - Introduction to Cybersecurity Law
1.1 Infamous Cybercrimes
1.2 Cybercrime Taxonomy
1.3 Civil vs. Criminal Cybersecurity Offenses
1.3.1 Clarifying the Definition of Cybercrime
1.3.2 Challenging Your Current Definition of Cybercrime
1.3.3 Creating a Strong Cybercrime Definition
1.3.4 Cybercrime Categories in the Incident Response Plan
1.4 Understanding the Four Basic Elements of Criminal Law It would be nearly impossible to build connections to the law in your cybersecurity plan without at least knowing the fundamentals of criminal law. If you know how the legal system determines g...
1.4.1 Mens Rea
1.4.2 Actus Reus
1.4.3 Concurrence
1.4.4 Causation
1.5 Branches of Law
1.6 Tort Law
1.6.2 Strict Liability Tort
1.6.3 Tort Precedents
1.7 Cyberlaw Enforcement
1.7.1 Regulatory Enforcement
1.7.2 Local Enforcement
1.7.3 State Enforcement
1.7.4 Federal Enforcement
1.7.5 International Enforcement
1.8 Cybersecurity Law Jurisdiction
1.8.1 Challenging Jurisdiction
1.8.2 Extradition
1.9 Cybercrime and Cyber Tort Punishment
1.9.1 Cybercrime Punishment
1.9.2 Cyber Tort Punishment
Chapter 2 - Overview of US Cybersecurity Law
2.1 Brief History of Resolving Cybersecurity Disputes
2.1.1 Computer Crime Laws in the Public Sector
2.1.2 Computer Crime Laws in the Private Sector
2.1.3 Application of Laws to Cybersecurity
2.2 Alternative Dispute Resolution (ADR)
2.1 Cybersecurity Case Mediation Law
2.2.2 Cybersecurity Case Arbitration Law
2.2.3 Cybersecurity Case Dispositive Motion Law
2.3 Successful Data Breach Lawsuits
2.4 Duty of Care Doctrine
2.4.1 Duty to Provide Reasonable Security
2.4.2 Duty to Reveal Security Breaches
2.4.3 Duty to Accurately Disclose Safeguards
2.4.4 Duty to Protect Information
2.4.5 State-Based Duty of Care Laws
2.5 Failure to Act Doctrine
2.5.1 Failure to Act Duty
2.5.2 Failure to Warn Duty
2.5.3 Cybersecurity Good Samaritan Law
2.6 Reasonable Person Doctrine
2.7 Common Law Duty
2.8 Criminal Cyberlaw
2.8.1 Cybercrime Penalties
2.9 Federal Computer Crime Statutes
2.9.1 Federal Laws Addressing Computer Security
2.9.2 The US Code
2.10 Procedural Law
2.10.1 Rules of Criminal Procedure
2.10.2 Rules of Civil Procedure (Cyber Tort)
2.11 State Computer Crime Laws
2.11.1 State Ransomware Laws
2.11.2 Federal Ransomware Laws
2.11.3 State Cyber Reserve Laws
2.11.4 State Denial of Service Laws
2.11.5 State Election Security Legislation
2.11.6 State Anti-Phishing Laws
2.11.7 Identity Theft Laws
2.11.8 State Cyberbullying Laws
2.12 False Claims Act (FCA)
Chapter 3 - Cyber Privacy and Data Protection Law
3.1 Common Law of Privacy
3.2 Privacy Laws
3.2.1 Children's Privacy Laws
3.2.2 Healthcare Data Privacy Laws
3.2.3 Federal Privacy Laws
3.2.4 Cybercrime on Tribal Lands
3.2.5 State Privacy Laws
3.2.6 State Chief Information Privacy Officer (CIPO) Laws
3.2.7 International Privacy Laws
3.3 Data Breach Laws
3.3.1 State Data Breach Laws
3.3.2 Federal Data Breach Laws
3.3.3 International Data Breach Laws
3.3.4 General Data Protection Regulation (GDPR)
3.4 Data Breach Litigation
3.4.1 Injury vs. No-Injury Class Action Lawsuits
3.4.2 Data Privacy and the US Supreme Court
3.4.3 Shareholder Derivative Lawsuits
3.4.4 Securities Fraud Lawsuits
3.5 Privacy Notice Law
3.6 Personal Liability
3.6.1 Directors and Officers Insurance
3.6.2 Preemptive Liability Protection
3.6.3 Cybersecurity Whistleblower Protections
3.7 Data Disposal Laws
3.8 Electronic Wiretap Laws
3.9 Digital Assistant Privacy Issues
3.10 Social Media Privacy
3.11 Event Data Recorder (EDR) Privacy
3.12 Automated License Plate Reader (ALPR) Privacy
Chapter 4 - Cryptography and Digital Forensics Law
4.1 Brief Overview of Cryptography
4.2 Cryptography Law
4.2.1 Export Control Laws
4.2.2 Import Control Laws
4.2.3 Cryptography Patent Infringement
4.2.4 Search and Seizure of Encrypted Data
4.2.5 Encryption Personal Use Exemption
4.3 State Encryption Laws
4.3.1 State Encryption Safe Harbor Provision
4.4 Fifth Amendment and Data Encryption
4.5 Laws and Regulations Requiring Encryption
4.6 International Cryptography Law Perspective
4.7 International Key Disclosure Law
4.8 Legal Aspects of Digital Forensics
4.8.1 Preservation Order
4.8.2 Digital Best Evidence Rule
4.8.3 Digital Chain of Custody
4.8.4 Digital Data Admissibility in Court
4.8.5 Digital Evidence Spoliation
4.8.6 Fourth Amendment Rights and Digital Evidence
4.8.7 Expert Witnesses
4.8.8 Security Consultant Client Privilege
4.9 State Digital Forensics Law
4.10 The CLOUD Act
 U.S. Access to Foreign Stored Data – The Act authorizes U.S. law enforcement to unilaterally demand access to data stored outside the U.S. When the U.S. orders a company to produce communications data, the Act provides a mechanism for a communicatio...
 Executive Agreements –The Act permits federal officials to enter into executive agreements granting foreign access to data stored in the U.S., even if that data would otherwise be protected under The Electronic Communications Privacy Act (ECPA). Pri...
4.11 Emerging Data Encryption Laws
When encryption was originally envisioned it was primarily designed to protect information from being used by bad actors once stolen. Authors of original encryption algorithms never really thought that governments would want to have access to their en...
In an effort to bring sanity to the uncontrolled growth of encryption regulations, two important laws have been introduced. One is essentially to have one national encryption law applicable to all states and the other is to keep government from interf...
4.11.1 Ensuring National Constitutional Rights for Your Private Telecommunications (ENCRYPT) Act
For the second time, H.R. 4170 – Ensuring National Constitutional Rights for Your Private Telecommunications (ENCRYPT) Act was introduced in the US Congress in August of 2019. The ENCRYPT Act would trump state and local government encryption laws to p...
4.11.2 Secure Data Act
4.12 Biometrics Law
4.13 Genetic Information Privacy Laws
Chapter 5 - Acts, Standards & Regulations
5.1 Basel III Accord
5.2 Chemical Facility Anti-Terrorism Standards (CFATS) Act
5.3 Defense Federal Acquisition Regulations Supplement (DFARS)
5.3.1 Minimum Requirements for DFARS
5.3.2 Termination of Contracts and Penalties for Non-Compliance
5.4 Directive on Security of Network and Information Systems NIS Directive
5.5 European Union Cybersecurity Act
5.6 Family Educational Rights and Privacy Act (FERPA)
5.7 Federal Financial Institutions Examination Council (FFIEC)
5.8 Federal Information Security Management Act (FISMA)
5.9 Financial Industry Regulatory Authority (FINRA) Rules
5.10 Food and Drug Administration Code of Federal Regulations Title 21 Part 11
5.10.1 ALCOA Model
5.11 Health Information Technology for Economic and Clinical Health Act (HITECH)
5.12 Health Insurance Portability and Accountability Act (HIPAA)
5.13 Joint Commission on the Accreditation of Healthcare Organizations (JCAHO)
5.14 North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP)
5.15 Payment Card Industry – Data Security Standard (PCI- DSS)
5.16 Sarbanes Oxley Act (SOX)
5.16.1 Cybersecurity Flaw Whistleblower Protection
5.17 Standards
5.17.1 International Organization for Standardization (ISO) Security Standards
5.17.2 National Institute of Standards & Technology (NIST)
5.17.3 Center for Internet Security® (CIS) Controls
5.17.4 Industry-Specific Cyber Security Standards
Chapter 6 - Creating a Cybersecurity Law Program
6.1 Cybersecurity Law Program
6.1.1 Model
6.1.2 Architecture
6.1.3 Program Staffing and Roles
6.1.4 Program Policies
6.1.5 Program Procedures
6.1.6 Program Technology
6.1.7 Mapping Legal Requirements to Controls
6.1.8 ISO/IEC 27002 on Compliance Controls
6.2 Cyber Liability Insurance
6.2.1 Coverage Categories
6.2.2 Policy Restrictions
6.2.3 Policy Value
6.2.4 Policy Cost
6.2.5 Policy Claims
6.2.6 Policy Claim Disputes
6.2.7 Policy Lawsuits
6.2.8 Act of War Defense
6.2.9 Insurable vs Uninsurable Risk
6.2.10 Cyber Risk Insurance Pools
6.2.11 Silent Cyber Risk Insurance
6.3 Data Breach Worksheet
6.3.1 Data Breach Calculators
6.4 Compliance Auditing
6.4.1 Critical Audit Matters (CAM)
6.4.2 Internal vs. External Auditing
6.4.3 Auditing Associations
Chapter 7 - Future Developments in Cybersecurity Law
7.1 Future of Cybersecurity Legislation
7.1.1 Constutionality of Cybersecurity Law
7.2 Impact of Technology on Cybersecurity Law
7.2.1 Legal Implications of the Internet of Things (IoT)
7.2.2 Legal Implications of Big Data
7.2.3 Legal Implications of Cloud Computing
7.2.4 Legal Implications of Security Testing
7.3 Future US Cybersecurity Legislation
7.4 US Foreign Policy on Cybersecurity
7.5 National Association of Insurance Commissioners (NAIC) Model Cybersecurity Law
7.6 Harmonization of International Cybersecurity Laws
7.6.1 Cybersecurity Law and Trade Pacts
7.6.2 Harmonization of Cybersecurity and Privacy Law
7.6.3 Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP) Cybersecurity Framework
7.6.4 Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules (CBPR) System
7.6.5 US-Mexico-Canada Agreement (USMCA)
7.6.6 Cyberbalkanization Laws
7.6.7 Data Localization Laws
7.6.8 Singapore Payment Services Act
7.7 Aligning the Law of the Sea to Cybersecurity Law
7.8 Cybersecurity Law in Outer Space
7.9 The Law of Armed Conflict in Cyberwar
7.10 North Atlantic Treaty Organization (NATO) Cyberlaw Stance
7.11 United Nations – Universal Cybersecurity Legal Framework
7.12 International Treaties on Cybersecurity
7.13 Brexit Impact on European Union Cybersecurity Law
7.14 G7 Perspective on Cybercrime
Appendix A
Useful Checklists and Information
Index
Credits
About the Author

Citation preview

Tari Schreider C|CISO, CRISC, ITIL® Foundation, MCRP, SSCP

2nd Edition

This thoroughly updated revision reflects the very latest developments in cybersecurity law, standards and regulations.

C

ybersecurity practitioners, attorneys and privacy managers now have a single, comprehensive resource on cybersecurity law plus the latest international standards and regulations. Cybersecurity Law, Standards and Regulations (2nd Edition) by Tari Schreider is the FIRST book to provide a foundation resource for understanding cybersecurity and privacy law, regulations and standards at the state, federal and international levels. The extensive coverage of cyber law topics includes discussions of the foundation of law as it applies to the cyberworld; privacy; judicial rulings; cryptography and forensics law; cyber insurance; future developments in cybersecurity law; and much more.

Tari Schreider, C|CISO,

„

„ „

„

„

50+ call out boxes highlighting cyber law cases and important legal resources. 60 self-study questions to hone your knowledge. 8 cyberlaw program models to guide program design efforts. 10 powerful templates to document your cybersecurity law program. Addition of CISO, IoT, Data Broker, Cloud, and Event Data Recorder cybersecurity laws.

„

Addition of digital assistant privacy issues.

„

Impact of Calif. A.B.5 on bug bounty programs.

„

Coverage of “Act of War” cyber insurance clauses.

„

Expanded Fourth and Fifth Amendment coverage.

„

Updated coverage of cybersecurity treaties.

„

Addition of social media privacy laws.

„

Addition of cybercrime on tribal lands.

„

Addition of cybersecurity whistle blower protections.

Rothstein Publishing is your premier source of books and learning materials about Business Resilience – including Business Continuity, Disaster Recovery, and Risk, Crisis, and Emergency Management. Our industry-leading authors provide current, actionable knowledge, solutions, and tools you can put into practice immediately. Founded in 1984 by Philip Jan Rothstein, FBCI, our company remains true to our commitment to prepare you and your organization to protect, preserve, and recover what is most important: your people, facilities, assets, and reputation. Rothstein Publishing is a division of Rothstein Associates Inc., an international management consultancy.

Tari Schreider

www.rothsteinpublishing.com [email protected] twitter.com/RothsteinPub facebook.com/RothsteinPublishing linkedin.com/company/rothstein-associates-inc.

2nd Edition

CRISC, ITIL® Foundation, MCRP, SSCP is a distinguished technologist and nationally known expert in the fields of cybersecurity, risk management, and disaster recovery. He was formerly Chief Security Architect at HewlettPackard Enterprise and is an instructor for EC-Council where he teaches advanced CISO certification and risk management courses. Tari Schreider is also the author of Building an Effective Cybersecurity Program 2nd Edition (Rothstein Publishing 2020)

New in the 2nd Edition:

Cybersecurity Law, Standards and Regulations

Cybersecurity Law, Standards and Regulations

Cybersecurity Law, Standards and Regulations 2nd Edition Tari Schreider C|CISO, CRISC, ITIL® Foundation, MCRP, SSCP

Cybersecurity Law, Standards and Regulations 2nd Edition Tari Schreider C|CISO, CRISC, ITIL® Foundation, MCRP, SSCP Kristen Noakes-Fry, ABCI, Editor

ISBN 9781944480561 PRINT ISBN 9781944480585 PDF ISBN 9781944480578 EPUB

203.740.7400 [email protected] www.rothstein.com Keep informed about Rothstein Publishing: www.facebook.com/RothsteinPublishing www.linkedin.com/company/rothsteinpublishing www.twitter.com/rothsteinpub

COPYRIGHT ©2020, Rothstein Associates Inc. All Rights Reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form by any means, electronic, mechanical, photocopying, recording or otherwise, without express, prior permission of the Publisher. No responsibility is assumed by the Publisher or Authors for any injury and/or damage to persons or property as a matter of product liability, negligence or otherwise, or from any use or operation of any methods, products, instructions or ideas contained in the material herein. Local laws, standards, regulations, and codes should always be consulted first before considering any advice offered in this book.

ISBN 9781944480561 PRINT ISBN 9781944480585 PDF ISBN 9781944480578 EPUB Library of Congress Control Number: 2019955633

Brookfield, Connecticut USA 203.740.7400

[email protected] www.rothstein.com www.rothsteinpublishing.com

ii

Dedication For my loving wife, Teri, forever and always supportive. You were a great sounding board for my ideas and reminded me to keep my content relatable. To my Grandpa John who, from my earliest memory to his last days, always told me I could do anything and be anything. His presence while writing was constant, and I only wish he were still with us to see this book published.

Acknowledgments I cannot express enough thanks to my publishing team from Rothstein Publishing. To Kristen Noakes-Fry for expertly and gently guiding me through the first edition of this book and helping me understand the process of professional publishing and to Philip Jan Rothstein, my publisher who believed enough in this book to support a second edition.

iii

Foreword Those of us of a certain generation remember where we were the morning of September 11, 2001. For me, that was in my office at the US Department of Justice headquarters in Washington, DC, a stone’s throw from the Pentagon. The shocking images on TV of planes flying into the World Trade Center were surpassed for me only by the plumes of black smoke I saw from my office window as they rose above the burning Pentagon. On that day, 19 terrorists hijacked a technology meant to improve our way of life and bring the world closer together – passenger aircraft – and weaponized it for an evil and destructive purpose. As then-Attorney General John Ashcroft and my boss would state, our paradigm for anti-terrorism efforts necessarily changed overnight from prosecution to prevention. Just as terrorists weaponized passenger aircraft on September 11th and forced a paradigm shift in America’s anti-terrorism efforts, so too have “digital terrorists” forced a shift in our approach to cybersecurity by declaring cyberwar on corporations. As a manager or key executive, you know that in this new world of cyberattacks, data breaches, and data intrusion, prevention is the necessary paradigm. In Cybersecurity Law, Standards and Regulations (2nd Edition), Tari Schreider helps you take clear, methodical, practical steps in your organization to address the explosion of cybersecurity laws and regulations of the past few years. Tari emphasizes that you not only must defend against bad actors, but also defend against legal actions resulting from a data breach. As the former Chief Security Architect for Fortune 100 company and cybersecurity strategist and instructor, Tari draws on his years of experience in both the technical development of security programs and the compliance assessment of the same to articulate the full spectrum of operationalizing cybersecurity in your organization. From helping you understand the basics of cybersecurity law, to outlining the key elements of regulations and statutes required to ensure the privacy of information, Tari – in the words of a cybersecurity colleague – “turns the obscure into the obvious in a manner that precludes any misunderstanding.” v

You can have confidence in Tari, as he serves as your cybersecurity law guide, identifying current and coming cyber regulations, standards and laws, delivering the roadmap for creating a cybersecurity law program. It is now in your hands to act on this intelligence.

Susan Richmond Johnson, MBA, MPM/CIPM Managing Principal, The Ashcroft Group LLC Washington, DC February, 2020

vi

Foreword When reading the book to write this foreword, I found Tari’s wisdom woven into every page. He has mapped cybersecurity law into a practical application across every silo of an organization. Why he had asked me to provide the foreword became evident when I was taken on a round-theworld trip, an investigation into the privacy and data protection laws in the U.S., Canada, Brazil, to the EU, Thailand, India, even China and Australia, and more. When thinking on who should read this book, my initial thoughts were any cybersecurity professional. This book provides the tools they need to create a solid business case on why an organisation should invest in cybersecurity. The book explains how the laws work, including for each section a goodie bag of hard facts and real examples on the consequences and costs of doing nothing, Hence this book for the cybersecurity professional is a tool to map cybersecurity risk into something concrete the board can understand. As I progressed through the book, my thoughts shifted over to the legal professional. Attorneys or barristers may know their legal niche but likely lack the experience on how to map this to an organisation’s operations. IT has always been something of black magic for non-technical individuals, but now nearly all data is digital, and technology has become increasingly pervasive. What this book does for them is map cybersecurity laws to operational mitigations and remediations, i.e. what needs to be done on a practical level. This knowledge can be used to get a decent conversation between the technical and cybersecurity crew. Where does this take us? Well if both cybersecurity and legal experts read this book, between them they’d be in a strong position to do what is right, as prescribed by Tari in the final part of the book, creating your Cybersecurity Law Program. This book bridges the gap between cybersecurity and legal and gives you the proper tools and common language to communicate with your board effectively so that money spent on cybersecurity is spent wisely. vii

Karen Lawrence Öqvist CEO Privasee AB Author of Virtual Shadows & A Hands-on Approach to GDPR Compliance MBA MSc CIPP/E CIPT CIPM Stockholm, Sweden February, 2020

viii

Contents Dedication ...................................................................................................................................... iii Acknowledgments.......................................................................................................................... iii Foreword ......................................................................................................................................... v Foreword ....................................................................................................................................... vii Contents .......................................................................................................................................... 1 Introduction to the 2nd Edition ........................................................................................................ 9 Chapter 1 Introduction to Cybersecurity Law .............................................................................. 13 1.1 Infamous Cybercrimes ........................................................................................................ 14 1.2

Cybercrime Taxonomy................................................................................................... 15

1.3

Civil vs. Criminal Cybersecurity Offenses .................................................................... 16

1.3.1 Clarifying the Definition of Cybercrime ...................................................................... 17 1.3.2 Challenging Your Current Definition of Cybercrime................................................... 18 1.3.3 Creating a Strong Cybercrime Definition ..................................................................... 18 1.3.4 Cybercrime Categories in the Incident Response Plan ................................................. 19 1.4 Understanding the Four Basic Elements of Criminal Law ................................................. 20 1.4.1 Mens Rea ...................................................................................................................... 20 1.4.2 Actus Reus .................................................................................................................... 20 1.4.3 Concurrence .................................................................................................................. 21 1.4.4 Causation ...................................................................................................................... 21 1.5 Branches of Law.................................................................................................................. 22 1.6 Tort Law .............................................................................................................................. 22 1.6.2 Strict Liability Tort ....................................................................................................... 23 1.6.3 Tort Precedents ............................................................................................................. 24 1.7 Cyberlaw Enforcement ........................................................................................................ 24 1

1.7.1 Regulatory Enforcement ............................................................................................... 25 1.7.2 Local Enforcement ....................................................................................................... 26 1.7.3 State Enforcement......................................................................................................... 26 1.7.4 Federal Enforcement..................................................................................................... 27 1.7.5 International Enforcement ............................................................................................ 27 1.8 Cybersecurity Law Jurisdiction........................................................................................... 28 1.8.1 Challenging Jurisdiction ............................................................................................... 29 1.8.2 Extradition .................................................................................................................... 30 1.9 Cybercrime and Cyber Tort Punishment ............................................................................. 32 1.9.1 Cybercrime Punishment ............................................................................................... 32 1.9.2 Cyber Tort Punishment ................................................................................................. 32 Chapter 2 Overview of US Cybersecurity Law ............................................................................ 37 2.1 Brief History of Resolving Cybersecurity Disputes ............................................................ 38 2.1.1 Computer Crime Laws in the Public Sector ................................................................. 38 2.1.2 Computer Crime Laws in the Private Sector ................................................................ 39 2.1.3 Application of Laws to Cybersecurity .......................................................................... 39 2.2 Alternative Dispute Resolution (ADR) ............................................................................... 40 2.1 Cybersecurity Case Mediation Law ................................................................................ 41 2.2.2 Cybersecurity Case Arbitration Law ............................................................................ 42 2.2.3 Cybersecurity Case Dispositive Motion Law ............................................................... 43 2.3 Successful Data Breach Lawsuits ....................................................................................... 47 2.4 Duty of Care Doctrine ......................................................................................................... 48 2.4.1 Duty to Provide Reasonable Security ........................................................................... 49 2.4.2 Duty to Reveal Security Breaches ................................................................................ 49 2.4.3 Duty to Accurately Disclose Safeguards ...................................................................... 51 2.4.4 Duty to Protect Information.......................................................................................... 51 2.4.5 State-Based Duty of Care Laws.................................................................................... 52 2.5 Failure to Act Doctrine........................................................................................................ 52 2.5.1 Failure to Act Duty ....................................................................................................... 52 2.5.2 Failure to Warn Duty .................................................................................................... 53 2.5.3 Cybersecurity Good Samaritan Law............................................................................. 53 2.6 Reasonable Person Doctrine................................................................................................ 54 2.7 Common Law Duty ............................................................................................................. 54 2.8 Criminal Cyberlaw .............................................................................................................. 55 2

2.8.1 Cybercrime Penalties .................................................................................................... 55 2.9 Federal Computer Crime Statutes ....................................................................................... 56 2.9.1 Federal Laws Addressing Computer Security .............................................................. 56 2.9.2 The US Code ................................................................................................................ 58 2.10 Procedural Law ................................................................................................................. 59 2.10.1 Rules of Criminal Procedure ...................................................................................... 60 2.10.2 Rules of Civil Procedure (Cyber Tort) ....................................................................... 60 2.11 State Computer Crime Laws ............................................................................................. 62 2.11.1 State Ransomware Laws ............................................................................................. 63 2.11.2 Federal Ransomware Laws ......................................................................................... 64 2.11.3 State Cyber Reserve Laws .......................................................................................... 65 2.11.4 State Denial of Service Laws...................................................................................... 65 2.11.5 State Election Security Legislation............................................................................. 66 2.11.6 State Anti-Phishing Laws ........................................................................................... 67 2.11.7 Identity Theft Laws .................................................................................................... 67 2.11.8 State Cyberbullying Laws .......................................................................................... 68 2.12 False Claims Act (FCA) .................................................................................................... 69 Chapter 3 Cyber Privacy and Data Protection Law ...................................................................... 75 3.1 Common Law of Privacy .................................................................................................... 76 3.2 Privacy Laws ....................................................................................................................... 76 3.2.1 Children's Privacy Laws ............................................................................................... 77 3.2.2 Healthcare Data Privacy Laws ..................................................................................... 80 3.2.3 Federal Privacy Laws ................................................................................................... 87 3.2.4 Cybercrime on Tribal Lands ......................................................................................... 89 3.2.5 State Privacy Laws ....................................................................................................... 91 3.2.6 State Chief Information Privacy Officer (CIPO) Laws ................................................ 91 3.2.7 International Privacy Laws ........................................................................................... 92 3.3 Data Breach Laws ............................................................................................................... 93 3.3.1 State Data Breach Laws ................................................................................................ 94 3.3.2 Federal Data Breach Laws ............................................................................................ 95 3.3.3 International Data Breach Laws ................................................................................... 99 3.3.4 General Data Protection Regulation (GDPR) ............................................................. 102 3.4 Data Breach Litigation ...................................................................................................... 105 3.4.1 Injury vs. No-Injury Class Action Lawsuits ............................................................... 105 3

3.4.2 Data Privacy and the US Supreme Court ................................................................... 107 3.4.3 Shareholder Derivative Lawsuits................................................................................ 109 3.4.4 Securities Fraud Lawsuits ........................................................................................... 110 3.5 Privacy Notice Law ........................................................................................................... 111 3.6 Personal Liability .............................................................................................................. 112 3.6.1 Directors and Officers Insurance ................................................................................ 113 3.6.2 Preemptive Liability Protection .................................................................................. 113 3.6.3 Cybersecurity Whistleblower Protections .................................................................. 114 3.7 Data Disposal Laws ........................................................................................................... 115 3.8 Electronic Wiretap Laws ................................................................................................... 116 3.9 Digital Assistant Privacy Issues ........................................................................................ 117 3.10 Social Media Privacy ...................................................................................................... 117 3.11 Event Data Recorder (EDR) Privacy .............................................................................. 118 3.12 Automated License Plate Reader (ALPR) Privacy ......................................................... 120 Chapter 4 Cryptography and Digital Forensics Law .................................................................. 127 4.1 Brief Overview of Cryptography ...................................................................................... 128 4.2 Cryptography Law............................................................................................................. 129 4.2.1 Export Control Laws .................................................................................................. 130 4.2.2 Import Control Laws .................................................................................................. 132 4.2.3 Cryptography Patent Infringement ............................................................................. 133 4.2.4 Search and Seizure of Encrypted Data ....................................................................... 136 4.2.5 Encryption Personal Use Exemption .......................................................................... 138 4.3 State Encryption Laws ...................................................................................................... 139 4.3.1 State Encryption Safe Harbor Provision ..................................................................... 139 4.4 Fifth Amendment and Data Encryption ............................................................................ 140 4.5 Laws and Regulations Requiring Encryption.................................................................... 141 4.6 International Cryptography Law Perspective .................................................................... 142 4.7 International Key Disclosure Law..................................................................................... 143 4.8 Legal Aspects of Digital Forensics ................................................................................... 144 4.8.1 Preservation Order ...................................................................................................... 144 4.8.2 Digital Best Evidence Rule......................................................................................... 145 4.8.3 Digital Chain of Custody ............................................................................................ 146 4.8.4 Digital Data Admissibility in Court............................................................................ 147 4.8.5 Digital Evidence Spoliation ........................................................................................ 147 4

4.8.6 Fourth Amendment Rights and Digital Evidence....................................................... 148 4.8.7 Expert Witnesses ........................................................................................................ 149 4.8.8 Security Consultant Client Privilege .......................................................................... 149 4.9 State Digital Forensics Law .............................................................................................. 150 4.10 The CLOUD Act ............................................................................................................. 151 4.11 Emerging Data Encryption Laws .................................................................................... 152 4.11.1 Ensuring National Constitutional Rights for Your Private Telecommunications (ENCRYPT) Act.................................................................................................................. 152 4.11.2 Secure Data Act ........................................................................................................ 152 4.12 Biometrics Law ............................................................................................................... 152 4.13 Genetic Information Privacy Laws ................................................................................. 154 Chapter 5 Acts, Standards & Regulations................................................................................... 159 5.1 Basel III Accord ................................................................................................................ 160 5.2 Chemical Facility Anti-Terrorism Standards (CFATS) Act ............................................. 161 5.3 Defense Federal Acquisition Regulations Supplement (DFARS) .................................... 163 5.3.1 Minimum Requirements for DFARS ......................................................................... 164 5.3.2 Termination of Contracts and Penalties for Non-Compliance ................................... 165 5.4 Directive on Security of Network and Information Systems NIS Directive ..................... 165 5.5 European Union Cybersecurity Act .................................................................................. 166 5.6 Family Educational Rights and Privacy Act (FERPA) ..................................................... 167 5.7 Federal Financial Institutions Examination Council (FFIEC) .......................................... 168 5.8 Federal Information Security Management Act (FISMA) ................................................ 168 5.9 Financial Industry Regulatory Authority (FINRA) Rules ................................................ 169 5.10 Food and Drug Administration Code of Federal Regulations Title 21 Part 11............... 170 5.10.1 ALCOA Model ......................................................................................................... 171 5.11 Health Information Technology for Economic and Clinical Health Act (HITECH) 172 5.12 Health Insurance Portability and Accountability Act (HIPAA)...................................... 173 5.13 Joint Commission on the Accreditation of Healthcare Organizations (JCAHO)............ 173 5.14 North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP)....................................................................................................................... 176 5.15 Payment Card Industry – Data Security Standard (PCI-DSS) .......................................... 177 5.16 Sarbanes Oxley Act (SOX) ............................................................................................. 178 5.16.1 Cybersecurity Flaw Whistleblower Protection ......................................................... 179 5.17 Standards ......................................................................................................................... 179 5.17.1 International Organization for Standardization (ISO) Security Standards................... 180 5

Chapter 6 Creating a Cybersecurity Law Program ..................................................................... 195 6.1 Cybersecurity Law Program.............................................................................................. 196 6.1.1 Model .......................................................................................................................... 196 6.1.2 Architecture ................................................................................................................ 199 6.1.3 Program Staffing and Roles ........................................................................................ 200 6.1.4 Program Policies ......................................................................................................... 203 6.1.5 Program Procedures .................................................................................................... 206 6.1.6 Program Technology .................................................................................................. 208 6.1.7 Mapping Legal Requirements to Controls.................................................................. 212 6.1.8 ISO/IEC 27002 on Compliance Controls ................................................................... 214 6.2 Cyber Liability Insurance .................................................................................................. 214 6.2.1 Coverage Categories ................................................................................................... 215 6.2.2 Policy Restrictions ...................................................................................................... 217 6.2.3 Policy Value ............................................................................................................... 217 6.2.4 Policy Cost.................................................................................................................. 218 6.2.5 Policy Claims.............................................................................................................. 218 6.2.6 Policy Claim Disputes ................................................................................................ 219 6.2.7 Policy Lawsuits........................................................................................................... 219 6.2.8 Act of War Defense .................................................................................................... 222 6.2.9 Insurable vs Uninsurable Risk .................................................................................... 222 6.2.10 Cyber Risk Insurance Pools ...................................................................................... 223 6.2.11 Silent Cyber Risk Insurance ..................................................................................... 223 6.3 Data Breach Worksheet ..................................................................................................... 224 6.3.1 Data Breach Calculators ............................................................................................. 224 6.4 Compliance Auditing ........................................................................................................ 225 6.4.1 Critical Audit Matters (CAM) .................................................................................... 226 6.4.2 Internal vs. External Auditing .................................................................................... 227 6.4.3 Auditing Associations................................................................................................. 229 Chapter 7 Future Developments in Cybersecurity Law .............................................................. 235 7.1 Future of Cybersecurity Legislation.................................................................................. 236 7.1.1 Constutionality of Cybersecurity Law ........................................................................ 236 7.2 Impact of Technology on Cybersecurity Law ................................................................... 237 7.2.1 Legal Implications of the Internet of Things (IoT)..................................................... 237 7.2.2 Legal Implications of Big Data .................................................................................. 238 6

7.2.3 Legal Implications of Cloud Computing .................................................................... 239 7.2.4 Legal Implications of Security Testing ...................................................................... 240 7.3 Future US Cybersecurity Legislation ................................................................................ 242 7.4 US Foreign Policy on Cybersecurity................................................................................. 244 7.5 National Association of Insurance Commissioners (NAIC) Model Cybersecurity Law .. 246 7.6 Harmonization of International Cybersecurity Laws ........................................................ 248 7.6.1 Cybersecurity Law and Trade Pacts ........................................................................... 248 7.6.2 Harmonization of Cybersecurity and Privacy Law .................................................... 249 7.6.3 Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP) Cybersecurity Framework ................................................................................................... 249 7.6.4 Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules (CBPR) System ................................................................................................................................. 252 7.6.5 US-Mexico-Canada Agreement (USMCA)................................................................ 254 7.6.6 Cyberbalkanization Laws ........................................................................................... 255 7.6.7 Data Localization Laws .............................................................................................. 255 7.6.8 Singapore Payment Services Act ................................................................................ 257 7.7 Aligning the Law of the Sea to Cybersecurity Law .......................................................... 258 7.8 Cybersecurity Law in Outer Space.................................................................................... 259 7.9 The Law of Armed Conflict in Cyberwar ......................................................................... 260 7.10 North Atlantic Treaty Organization (NATO) Cyberlaw Stance ..................................... 261 7.11 United Nations – Universal Cybersecurity Legal Framework ........................................ 262 7.12 International Treaties on Cybersecurity .......................................................................... 263 7.13 Brexit Impact on European Union Cybersecurity Law ................................................... 264 7.14 G7 Perspective on Cybercrime ........................................................................................ 265 Appendix A ................................................................................................................................ 273 Useful Checklists and Information .......................................................................................... 273 Index ........................................................................................................................................... 283 Credits ........................................................................................................................................ 310 About the Author ...................................................................................................................... 314

7

8

Introduction to the 2nd Edition Think about building your organization’s cybersecurity law program much like taking a trip to the law library. Would you know which law books you would most need? Generally, security professionals don’t. Further imagine the librarian walking you through the aisles of mahogany bookcases of case law and legal precedents pointing out exactly which books to check out. Then imagine having a virtual paralegal to conduct research on the legal subject pertinent to your cybersecurity program. I think you would agree that would be ideal. Well, that is the experience this book is designed to provide you. Although I am not an attorney, I have spent nearly forty years researching, studying and applying legal and regulatory statutes to security programs. It is these lessons learned and curation of the most applicable legal information that I am passing on to you in order to make your job as a security manager just a little bit easier. One cannot create an effective cybersecurity program without aligning to cybersecurity laws, standards and regulations. The information in this book has been organized in order of importance to security managers and practitioners. The book by design doesn’t republish laws, regulations and standards in their entirety; I did not want to load the book up with information that is easily acquired elsewhere. I have provided many hyperlinks (digital version) and URLs (print version) to guide you to the authoritative sources of the statutes covered within the book. I wanted this book to be as concise as possible, yet jam packed with information you can use now and often going forward. I have integrated a “Did You Know” series of callout boxes that highlight interesting and relevant legal cases, precedents or events that bring to life the information discussed in order to show you that what I am presenting has actually happened. To help you retain the information within this book and hone your cyberlaw skills, each chapter has ten self-study questions. You should use this book as your virtual cybersecurity law reference library and on-call cyberlaw paralegal. 9

The following is an overview of each chapter: Chapter 1: Introduction to Cybersecurity Law – To establish a foundation in cybersecurity law, this chapter walks you through just enough legal foundation to provide you with insight into the basics of cyber law, how cybersecurity statutes have evolved, and how cybercrimes are enforced and prosecuted. This information won’t allow you to pass the bar exam, but it will allow you to have substantive conversations with your organization’s legal counsel and to understand the difference between criminal and civil offenses as well as how cybercriminals are prosecuted. Equally important, this information will help you to understand the cybersecurity laws and regulations that you will undoubtedly encounter without having to run down the hall and ask your in-house legal counsel how they apply to cybersecurity within your organization. Chapter 2: Overview of US Cybersecurity Law – Armed with a solid understanding of legal basics, you can begin reading about US cybersecurity law. This chapter introduces you to computer crime laws in the private and public sector, how crimes are litigated, and walks you through data breach lawsuits and how they get started. Essential doctrines such as duty of care, failure to act, reasonable person, and common law are also covered. You will learn about the rules of criminal and civil procedure used in cybercrime and data breach cases. The chapter presents an overview US Federal computer crime statutes and state computer crime laws. Chapter 3: Cyber Privacy and Data Protection Law – The origin of many cybersecurity lawsuits is the loss of a person or person’s personal information. This chapter dives deep into all the types of laws that govern the protection of personally identifiable information. I begin with a discussion of the common law of privacy to establish a baseline of understanding. I then walk you through children’s, healthcare, Federal, state and international privacy statutes. Data breach litigation is broadly covered with insight into injury vs no-injury cases and shareholder lawsuits. I also look at emerging legal privacy issues relating to digital wiretaps, digital assistants, and social media and potential impacts to the Fourth Amendment. Chapter 4: Cryptology and Digital Forensics Law – Here I cover two of the more complex aspects of cybersecurity law: cryptography and digital forensics. I delve into cryptography as it is the premier method of securing data from intentional or accidental disclosure. It is important to understand how the law views data encryption and its relationship to the fifth amendment. Digital forensics is integral to prosecuting cybercrime cases as all evidence is gathered digitally and must follow the rules of civil and criminal procedure. You will also learn about cryptology and forensics legislation. Chapter 5: Acts, Standards and Regulations – Throughout the book I introduce you to many different statutes as they align to the topics presented within their respective chapters. In this chapter, I cover over 20 national and international statutes that apply to various industries. I introduce you to some cybersecurity acts and regulations that are not as widely known. The Center for Internet Security (CIS), International Organization for Standardization (ISO) and National Institute of Standards and Technology (NIST) and other leading cybersecurity 10

standards are covered in some detail as they’re used to comply with the acts and regulations shown throughout the book as well as within this chapter. Chapter 6: Cybersecurity Law Program – Now that you have read the previous chapters and have gained a working understanding of cyberlaw, it’s time to build your cyberlaw program. In this chapter I provide you with a cybersecurity law program model and a supporting set of development templates. I also show you how you can hedge your cybersecurity program results through the adoption of a cyber insurance policy Chapter 7: Future Developments in Cybersecurity Law – Laws evolve over time and in the world of cybersecurity emerging technology is a key driver in the evolution of cybersecurity legislation. In this chapter I discuss the legal implications of big data, cloud computing, Internet of Things, and security testing. This chapter provides a forum for me to discuss cybersecurity law in of all places outer space and the sea. Treaties, international legal frameworks, and trade pacts are covered here. Appendix A: As if the chapters didn’t provide you with enough information, I provide you with a rich appendix of useful sources of tools, resources and checklists.

This book makes extensive use of hyperlinks to aid the reader in finding supportive external information. Links have been verified up to the publication date; however, some links may be changed at their source or restricted by certain browsers. In the event of a broken link, you can either paste the URL in a browser or search on the associated link name.

11

Chapter 1 Introduction to Cybersecurity Law A sense of excitement and anxiety simultaneously rush over you upon receiving an invitation to present your cybersecurity program to senior executives of your company. At last, you have achieved recognition for creating a cybersecurity program that meticulously follows industry standards! Your program has passed several independent assessments and even garnered approving nods from internal audit. Filled with confidence and thinking your life as a leader and manager in cybersecurity couldn’t be better, you embark enthusiastically on your carefully prepared presentation. Then, shortly after your opening remarks, your organization’s chief legal counsel chimes in, “Have you ensured our cybersecurity program complies with and supports all the legal statutes we must adhere?” The room goes silent and all eyes are on you: your answer to this question will get the immediate attention of the senior leadership of your company – and imprint the question of your subject-matter competency on their minds. As the champion of your organization’s cybersecurity program, your challenge is to answer this question skillfully to earn the confidence and respect of those with the authority to support and fund your cybersecurity initiatives. This chapter provides you with the foundation to answer this and many more questions on the legal aspects of cybersecurity.

This chapter will help you to: •

Communicate effectively with your company’s legal counsel by having a working knowledge of how the US legal system applies to cybersecurity.

•

Seek out and implement ways to improve your company’s cybersecurity program to avoid post-cyberattack lawsuits. 13

•

Upgrade your cybersecurity policies to comply with state, federal, and regulatory statutes.

1.1 Infamous Cybercrimes Cybercrime using a computer first became a thing in 1973 when a 41- year-old Chief Teller at Union Dime Savings Bank in New York, NY was arrested and charged with stealing $2.5 million from the bank’s deposits using the bank's computer to “shuffle” hundreds of individual accounts and then fed fraudulent and inaccurate information into the computer so that those accounts always appeared up to date (Fosburgh, 1973). I remember from a control seminar years ago that this case was cited as the reason banking regulators instituted the two-week vacation rule requiring senior managers or those in sensitive positions to take vacations in order to allow others to potentially uncover fraud. You may have seen many headlines, articles, or lists showcasing computer hacking and other cybercrime events; however, few focus on the cybercriminals who have been charged, prosecuted, and convicted for their cyber offenses. Before we begin our cybersecurity law journey, I think it only appropriate to offer a brief historical perspective of what happened when the crime was over and the offenders were punished. Significant cybercrime court cases of the past ten years include: •

•

•

•

•

•

September 24, 2010 – The first Voice over Internet Protocol (VoIP) hacker was sentanced to 120 months in prison for selling VoIP services for a profit. Edwin Andres was extradited after transmitting over 10 million minutes of unauthorized phone calls over the victim’s networks (FBI, 2010). July 22, 2011 – Rogelio Hacket was sentanced to ten years in prison and fined $100,000 for trafficking in stolen credit cards and aggravated identity theft leading to $36 million in fraudulent transactions (US Department of Justice, 2011). October 18, 2012 – Top executives of Kolon Industries indicted for stealing Dupont’s Kevlar trade secrets. Using computers to copy intellectual property and then to destroy the data, Kolon pleaded guilty and paid $360 million in restitution. Several executives were sentenced to prison terms (E.I. DuPont de Nemours, 2011). July 26, 2013 – Five Russian and Ukrainian hackers charged in $300 million crime from the theft and use of 160 million credit card numbers from Carrefour SA, JCPenney, JetBlue Airways, Visa, and others (Williams, 2015). August 27, 2014 – Former acting director of cybersecurity at the US Department of Health and Human Services (HHS) convicted on child pornography charges. Ultimately he was sentenced to 25 years (Robinson, 2014). December 17, 2015 – Six defendants from China, Germany, Singapore, and the US pled guilty to $100 million software piracy scheme. Over a period of six years 170,000 stolen Microsoft and Adobe activation keys were sold illegally (US Department of Justice, 2015). 14

• September 1, 2016 – A Romanian hacker known as “Guccifer” received a 52-month prison sentence for 100 Prior to the 27-year sentence of counts of unauthorized access to a protected computer Roman Seleznev, the longest and aggravated identity theft (US Department of Justice, sentence for a US computer crime was 20 years handed down to the TJ 2016). Maxx hacker Albert Gonzalez in 2010. • April 21, 2017 – The son of a Russian lawmaker, Roman Seleznev was sentanced to 27 years in prison for Is your company willing to assist in his computer hacking crimes that caused at least $169 the prosecution of a computer million in damage to 4,200 small businesses and hacker who stole sensitive information? financial institutions around the world (Perlroth, 2017). • February 27, 2018 – Taylor Huddleson of Hot Source: Springs, AR was sentanced to 33-months, plus twohttps://www.justice.gov/opa/pr/leaderyears supervised release not for hacking, but for selling hacking-ring-sentenced-massivea remote access trojan (RAT) hacker tool called identity-thefts-payment-processorNanoCore to hackers for $25 (US Department of Justice, and-us-retail 2018) • June 10, 2019 – Daniel Kelly, a South Wales, United Kingdom (UK) hacker with Asperger’s syndrome and depression, was sentanced to four-years detention after a cyberattack on UK’s telecommunication company TalkTalk. Kelly used stolen information to blackmail, bully and intimidate victims (UK News, 2019). Did You Know?

Crime doesn’t always pay, as these high-profile cases prove. TIP: Use the examples above to compare with your security technologies and practices currently in place and ask yourself if your methods would have detected trade secret theft, hacker intrusions, a senior executive violating a security policy, use of pirated software, or employee identify theft.

1.2 Cybercrime Taxonomy To provide you with a sense of the types of cybercrimes that bad actors could commit, Table 1-1 presents a taxonomy of cybercrimes divided between crimes that are primarily people-oriented vs. those requiring technology.

15

Table 1-1. Cybercrime Taxonomy Cybercrime Taxonomy Bad Actor-Centric

Technology-Centric

Advance Fee Fraud

Cyber Vandalism

Cyber Activism

Data Theft

Cyber Bullying

Distributed Denial of Service (DDoS)

Cyber Blackmail

Exploit Kit Sales

Cyber Espionage

Hacking

Cyber Revenge

Identity Theft

Cybersquatting

Malware

Cyber Stalking

Phishing Attacks

Cyber Terrorism

Prohibited or Illegal Content

Romance Scam

Ransomware

Social Engineering

Scareware

Theft of Service

Spamming

1.3 Civil vs. Criminal Cybersecurity Offenses As the manager of cybersecurity, you may need to deal with both civil and criminal cases. • •

Criminal cases will result from either an insider committing a cyber offense or an external party hacking into your computer systems. Civil cases will arise from your organization suing a company, or they sue you for some harm caused by a cyberattack.

For both instances, your cyberseurity program will need to address each scenario. You must also be ready to be either the plaintiff or the defendant.

16

•

•

In a civil case, as the plaintiff, you would be claiming that some entity has failed to fulfill a legal duty. For example, you would be the plaintiff if your company is bringing suit against a cloud service provider that exposed your customers’ data due to an incorrectly configured firewall. As a defendant, an entity would be accusing your organization of the same. In criminal cases, the government or a private entity will bring the case against you (the defendant), and your role will be to gather evidence to disprove the alleged offense. For example, you will be the defendant if a class action lawsuit is brought against your company following a hacking incident where customer data was stolen.

Did You Know? In August of 2019, Capital One named hosting service GitHub in a class action lawsuit claiming they should have noticed and removed customer’s personal data for the three months they hosted the data. Do you have agreements with hosting companies to verify you do not host personal data? Source: https://www.globaldatasentinel.com/th e-latest/data-security-news/githubnamed-in-capital-one-hack-lawsuit/

By now, you should be contemplating how to ensure your cybersecurity program supports these legal scenarios. The determination of whether it is a civil or criminal matter begins with the establishment of the crime. 1.3.1 Clarifying the Definition of Cybercrime No universal definition of cybercrime exists; however, a general consensus exists that cybercrime falls into two categories. The first category is current crimes that are now committed using computers and networks. The second includes crimes that have specifically evolved in the computer age and use sophisticated methods to commit crime. Definitions of cybercrime have fundamental similarities in a broad sense; however, a diverse array of opinions nonetheless exist. •

•

Not surprising many courts also have varying interpretations of cybercrime including how to even spell the term with it often referred to as cyber crime, cyber-crime, or cybercrime. Contributing to the disparity of definitions is the changing landscape of technology. Cloud computing, software-defined infrastructure, big data, mobile computing and outsourcing have all but obliterated many definitions of cybercrime. A clear and concise definition of cybercrime establishes the proper foundation for developing policies and practices to detect, prevent, and mitigate offenses. I will discuss more about policy creation in Chapter 6.

17

An understandable definition of cybercrime bridges the gap between the law and your cybersecurity program and brings clarity to the portions of your cybersecurity program that address criminal offenses. 1.3.2 Challenging Your Current Definition of Cybercrime Is the current description of the crimes clear and concise enough to create actionable policies and practices? Many definitions just state that computer Did You Know? crime is the commission of a crime through the use In 2016, 300 USB devices were malicious direct or initial use of computer equipment strewn around the campus of the and networks. I argued just such a point with a client University of Illinois at Urbanonce and even performed a drop USB attack simulation Champaign. Ninety-eight percent were picked up, with 45% plugged to prove the point. The exercise consisted of Universal into computers and their files opened. Serial Bus (USB) sticks strewn across their parking lot, with the hope that a few unsuspecting employees would Can your company stop a USB pick them up and attempt to read the data. drop attack?

Approximately a dozen employees were detected by the client’s endpoint security software plugging the USB sticks into their computers. The exercise showed that no crime had been committed according to their definition as neither a computer nor a network was used to directly commit the offense. Their legal department agreed and subsequently made modifications to their definition of cybercrime. How do you feel your employees would do with a similar test? Source: https://www.proofpoint.com/us/securit y-awareness/post/usb-attacks-howdo-you-counteract-curiosity

1.3.3 Creating a Strong Cybercrime Definition Depending on geographical location and jurisdiction, cybercrime definitions vary. You will want your cybercrime definition to hold true regardless of the rapidity of legislative and technological change, as well as adhere to multiple legal jurisdictions. Consider peer-testing your cybercrime with a definition that I have developed over my career of working with numerous companies. This definition has evolved from dozens of legal department reviews: Cybercrime is a criminal act in which computer-based equipment, automated services, or communications mechanism is either the object or the means of perpetrating legal or regulatory restricted or prohibited offenses.

Such a definition has a number of advantages: •

Including the word offenses in the definition rather than citing specific examples such as theft or fraud makes the definition timeless. 18

• •

The use of words such as equipment, service, and communications free the definition from being dependent on specific technologies. You will not need to cite specific examples such as cybertheft or computer fraud in your definition, as those examples will always be a crime regardless of a cyber component.

To ensure that your cybersecurity program defines cybercrime adequately in an actionable sense, be sure to validate the definition with your company lawyers. 1.3.4 Cybercrime Categories in the Incident Response Plan Once you have a vetted and approved cybercrime definition, don’t forget about identifying the likely types of cybercrimes to which your organization is exposed. Naming cybercrimes within the definition will burden the description unduly by limiting its applicability and usefulness, which is why it is important to identify them separately. The proper place to address the identified cybercrimes is in your company’s incident response plan, a set of instructions or tasks specifying the actions necessary to respond to a specific security emergency. Emergencies could include virus outbreaks, loss or theft of an employee-assigned laptop containing sensitive information, or a ransomware attack. Using a risk assessment as your guide, focus on the cybercrimes with the highest possible likelihood of occurrence which have a correspondingly high potential of impact. To aid in the identification of cybercrimes, you will find it helpful to examine the four primary categories: 1. Personal Cybercrimes. These types of crimes target people and consist of cyberbullying, cyberstalking, identity theft, identity impersonation, fraud scams, blackmail, data theft, ransomware attacks, etc. 2. Institutional Cybercrimes. These types of crimes target companies or governments and consist of denial of service attacks, cybervigilantism, cyber terrorism, cyber-slander, hacktivism, website defacement, etc. 3. Property Cybercrimes. These types of crimes target digital property and consist of data theft, computer sabotage, data destruction, etc. 4. Inchoate Cybercrimes. Inchoate is a specific legal term that is used to describe crimes that have been started, but not completed. An example of this type of crime would be where a hacker has completed the initial steps of an attack of a network or computer (target). These steps could include scanning a target for potential vulnerabilities, verifying the vulnerabilities exist on the target, and installing malicious software to siphon away confidential data. In this example, all the hacker would need to do to complete the crime is activate the malicious software remotely. What makes this example an inchoate crime is that the last step of activating the malicious software is never completed. Despite the fact that such crimes are incomplete and no 19

harm as yet occured, they were nonetheless attempted, demonstrating a substantial criminal effort was under way. Inchoate crimes also include cyber conspiracy, cybersolicitation, cyberstalking, and other types of attempted crimes. TIP: The tone and scope of a cybersecurity program start with a proper cybercrime definition. The definition will shape the construction of information and asset protection policies and practices. Address specific high-risk cybercrimes within your incident response plan.

1.4 Understanding the Four Basic Elements of Criminal Law It would be nearly impossible to build connections to the law in your cybersecurity plan without at least knowing the fundamentals of criminal law. If you know how the legal system determines guilt or innocence, you can better create a cybersecurity program with appropriate enforcement mechanisms. One of the biggest disconnects in cybersecurity programs and the law is in the area of security policies. You will need to ask yourself if the security policies of your company hold employees to a higher standard than the law or if you would terminate an employee violating a policy without criminal intent. Policies will be discussed more in Chapter 6. The four elements of criminal law which you should be familiar with are mens rea, actus reus, concurrence, and causation. It is advisable for you to use these four elements of criminal law as your security policy enforcement standard to avoid legally contested terminations resulting from a security policy violation. 1.4.1 Mens Rea The first element of criminal prosecution is proving mens rea or a guilty state of mind of the offender. However, as cybercriminals operate remotely and generally without witnesses, it is nearly impossible to prove their intent or state of mind during the commission of their hacking into a computer system or network. You may also think of this as the evil intent of the offender. 1.4.2 Actus Reus Actus reus is the second and the most critical element of pursuing a case against an unknown subject (unsub) or perpetrator. Simply put, actus reus is the criminality of the offense itself where law enforcement collects the evidence and witness testimony necessary to prove beyond a reasonable doubt that one or more individuals committed the crime. Unfortunately, existing laws all but make it impossible for prosecutors to establish actus reus due in part to the ease with which criminals can cover their digital tracks or evidence. Uncovering evidence requires highly experienced forensic investigators. See Chapter 4 for more detail on digital forensics.

20

1.4.3 Concurrence The third element of a crime is concurrence. As if mens rea and actus reus were not difficult enough to determine individually, prosecutors also need to show they occurred at the same time – the element of concurrence. Offenders cannot be found guilty without a direct connection between the mens rea and actus reus elements of a crime, or in other words they had the intent to violate a law as well as cause harm. Early computer criminals were often found not guilty because prosecutors could not prove both their evil intent and evil acts. 1.4.4 Causation Causation is the fourth element of an offense and one of the most difficult to prove. Here, prosecutors must prove the criminal activity and the outcome or detrimental effects of that activity. Causation is essentially actus reus in association with harm. The difference between the elements of concurrence and causation may seem subtle, but it is significant. Concurrence just means that two things must happen at the same time. Causation is the conduct of the perpetrator and the result of his or her act. You may think of this as the harm caused to people or property as a result of a criminal activity. Figure 1-1 is a summary of the four essential elements of criminal law.

Figure 1-1. Four Basic Elements of Cybercrime Model. (By Tari Schreider, licensed under a Creative Commons AttributionNonCommercial-NoDerivitives 4.0 International License)

21

1.5 Branches of Law You will encounter three basic types of law in cybersecurity: public, private, and regulatory. •

•

•

Public cyberlaw refers to cybercriminals and the government. Public law is part of the criminal legal system allowing the government to bring an action against those that violate cybersecurity and privacy laws. Private cybersecurity law applies to companies with respect to their obligations and contracts. Private law, part of the civil legal system, allows companies to resolve common law disputes also called tort law. Regulatory law, also known as administrative law, sets out the rules and regulations prescribed by various governmental agencies.

1.6 Tort Law Up to this point, you have learned how cyberlaw relates to criminals, but how does cybersecurity law relate to your organization? Organizations can be held liable for a cyberattack. The last thing you would want to occur after surviving an attack is to face a lawsuit for causing and contributing to the cyberassault. A tort is a civil wrong that happens when a group or individual commits an act or omission that causes harm or loss. The primary purpose of tort law is to compensate or provide relief to injured parties for the damage caused by others. The courts also impose penalties and fines to the extent they serve as a deterrence against future acts. The burden of proof in these cases usually shifts from the injured party to the accused party to prove they did no wrong. Although there are a number of different types of torts, as the cybersecurity manager you need only be concerned with cyber and strict liability torts. There are three types of torts: • • •

Intentional – Occurs when an intentional act results in damages to another. Negligence – Failure to follow a degree of care that a reasonable and prudent person would follow to avoid a forseeable harm. Strict liability – Happens when a person does or omits to do something which is so beyond reasonable behavior standards that it is negligent on its face.

1.6.1 Cyber Tort How would you handle the situation where the legal department informs you that several employees were named in either a cybertrespass or cyber harassment lawsuit? Knowing what to do begins with recognizing that cybersecurity tort is very real and is occurring with great regularity. Cybersecurity torts include intentional acts against persons or property. Cybersecurity torts are simply torts committed within cyberspace and fall into three general categories: 22

1. Intentional Cybercrimes Against Persons. Commiting acts of cyberbullying, cyber defamation, cyberstalking, and other attacks against people who are specifically targeted. 2. Cybertrespass to Chattle. Chattle is nothing more than moveable property, which in legal terms includes computers, networks, or related services. In this context, cybertrespass would be the act of preventing the owner from posessessing or using the property as the owner intended. This crime can include offenses such as denial of service (DoS) attacks, SPAM, and spyware. Not all courts agree on the use of cybertrespass due primarily to the overlap with unauthorized access laws. 3. Cyber-Conversion. The stealing of someone’s Internet domain name, committing session hijacking, or using computer services not authorized previously, etc. Essentially it is where someone obtains a cyber resource or service and converts it to their own without authorization. You can detect most cyber tort offenses through the use of of security technologies such as security incident and event monitoring (SIEM), intrusion detections systems (IDS), and data loss prevention (DLP) systems. Company collaboration systems and emails can be monitored for key words related to cyberbulling or harrassment; email scanning software can block SPAM; and session encryption can be used for website communications to prevent someone from capturing a session cookie. I encourage you to think of threats outside of the conventional sense and think about them as crimes. Then think about what tools you could apply to detect and prevent these types of crimes. 1.6.2 Strict Liability Tort Strict liability determines who is legally responsible for damages even in the event they were not at fault or negligent. Often used in product liability cases, strict liability is setting the standard for cybersecurity cases. Here, your company owes its customers a duty to protect their information, especially in light of the fact that cyberattacks are reasonably foreseeable with a preponderous of published attack evidence. A successful cyberattack against your company will undoubtedly expose it to regulatory and civil liabilities. Having a legal strategy in place pre-breach to handle strict liability tort claims is a critical component of any cybersecurity program. I will discuss creating a program in Chapter 6. You must also recognize that your cybersecurity program will be under a legal microscope. You will need to prove that your company used a risk-based 23

Did You Know? In 2018, The Pennsylvania Supreme Court ruled that the University of Pittsburgh Medical Center (UPMC), the defendant, “realized or should have realized” the likelihood that his actions could create a situation in which a third party might avail himself of an opportunity to commit a tort or crime.” Does your cybersecurity risk management program reasonably foresee cyberattacks? Source: http://cyber.pabar.org/index.php/2018/ 12/03/pennsylvania-supreme-courtholds-employers-have-duty-to-protectemployee-data-from-cyberattacks/

approach, applying security controls commensurate with the threats to information and assets. Or in other words, you did what would be considered reasonable to detect and defend against an attack – often called the “reasonable person test.” But it doesn’t stop there; you will also need to prove that your actions during the attack did not cause or contribute to the harm caused. 1.6.3 Tort Precedents Significant tort precedents relating to organizational liability exist that you and your legal department may find useful to examine: • • •

Lone Star Bank, et. al v. Heartland Payment Systems (5th Cir., September 2013). Patco Constr. Co. Inc. v. People’s United Bank (1st Cir., July 2012). Dittman v. UPMC (Pa. Nov. 21, 2018).

In these cases, the court determined that the defendants (People’s Bank and Heartland) did not act in a commercially reasonable way. Commercially reasonable is an important term as it is regularly used in cybersecurity services contracts. Vendors will often cite in their contract “will use commercially reasonable means to secure the customer's data.” In legal terms this means “conducted in good faith and in accordance with commonly accepted commercial practice.” The court used this standard to determine if People’s Bank or Heartland implemented reasonable security safeguards in light of the known threat and whether followed generally accepted security practices. Both companies paid significant financial penalties and agreed to improve their data protection practices as part of their settlements. In Dittman v. UPMC, the Pennsylvania Supreme Court held that an employer has a legal duty to exercise reasonable care to safeguard employee personal data on Internet-accessible computer systems. Under the economic loss doctrine, recovery for purely pecuniary damages is permissible under a negligence theory “provided that the plaintiff can establish the defendant’s breach of a legal duty arising under common law that is independent of any duty assumed pursuant to contract (Mooney, 2018). Ensuring your cybersecurity program is deployed according to generally accepted security practices is not just a matter of sound business judgment, but the measure by which a court will judge your defense in the event of a lawsuit resulting from a data breach. TIP: Request that your legal counsel set up a meeting to conduct a cyber tort assessment to review your current cybersecurity program to ensure your company can defend itself from a post-breach strict liability lawsuit.

1.7 Cyberlaw Enforcement The cyberlaw pendulum has now swayed to the extreme where today hundreds of various local, state, federal, and international cybercrime laws and regulations exist. This myriad of statutes has made understanding who is responsible for enforcement difficult at best. In some cases, an 24

organization may have a dozen enforcement authorities that may bring suit for violating a computer offense statute. Some federal agencies have even been accused of overstepping their authority for punishing companies for weak cybersecurity. As computer security laws become less ambiguous and courts gain more experience prosecuting cases, the lines of enforcement authority are likely to become blurred. Thus, courts may no longer beg off taking on a case, leaving open the possibility of competing jurisdictions. You will need to identify all regulatory entities that carry enforcement authority over your cybersecurity program. 1.7.1 Regulatory Enforcement Agencies or industries that have the authority to regulate your company generally have the power to direct your organization to protect your customers from cyberattack harm. The two types of industry-focused regulatory authorities you will encounter are industry (self-regulating) and government (enforced by law). They carry the same essential oversight and enforcement power, but with one primary distinction. Industry regulatory entities enforce their compliance through fines and sanctions for noncompliance. Government entities enforce compliance through legal fines and criminal penalties including incarceration. The following are examples of industry regulatory authorities covering cybersecurity: •

•

Industry Self-Regulated Oversight. o Financial Services: Financial Industry Regulatory Authority (FINRA). o Healthcare: Joint Commission on the Accreditation of Healthcare Organizations (JCAHO). o Retail: Payment Card Industry Data Security Standard (PCI DSS). o Utility: The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP). Government Industry Oversight. o Banking: Federal Financial Institutions Examination Council (FFIEC). o Chemical: The Chemical Facility Anti-Terrorism Standards Regulation (CFATS). o Education: Family Educational Rights and Privacy Act (FERPA). o Food and Drug: US Food and Drug Administration Code of Federal Regulations Title 21 Part 11. o Government: Federal Information Security Management Act (FISMA). o Healthcare: Health Insurance Portability and Accountability Act (HIPAA). o Healthcare: The Health Information Technology for Economic and Clinical Health Act (HITECH). o Public: Sarbanes-Oxley Act (SOX).

For each regulation to which your organization must adhere, you need to understand the enforcement capabilities of the regulatory body thoroughly. For those of you who don't think regulatory enforcement carries much weight, just ask Equifax. On January 13, 2020, the FTC

25

announced that Equifax agreed to spend $1 billion on improving their cybersecurity program over the next five years. 1.7.2 Local Enforcement Local computer-related enforcement exists for cybercrime offenses occurring within the boundaries of a city, county, or parish. Although some larger local law enforcement agencies have published computer crime codes, the majority enforce state computer use and abuse acts. Local laws issued for computer crime are commonly referred to as municipal codes or ordinances. Many local municipalities amend city codes to include state computer crime codes so that these types of offenses can be prosecuted in municipal courts. 1.7.3 State Enforcement States have both data breach and computer crime laws with which you will need to familiarize yourself. In both cases, state prosecutors have the authority to enforce these laws through fines and incarceration. To date, the majority of cybercrime cases adjudicated at the state level have involved child pornography; however, that is rapidly changing as state courts become more sophisticated in pursuing other types of cybercrime cases. State courts are ideal for prosecuting computer-based crimes where the offender and victim reside within the same state. Over 40 states have a State Bureau of Investigation (SBI) with specialized computer crime units. These units are typically co-funded by the US Department of Justice (DOJ) and ostensibly act as a state version of the Federal Bureau of Investigation (FBI). They must be called in by a municipal entity in cases where the state has an interest. Their role is to assist in cyber crime investigations. 1.7.3.1 Computer Crime Cases State computer crime laws prohibit the use of computer equipment and communications to commit illegal activities consisting of any one of the previously listed cyber torts. Penalties for violating state cybercrime codes will include fines and incarceration. You should identify your state’s computer crime statute as well as which district court covers your area.

26

1.7.3.2 Data Breach Cases Did You Know? On January 8, 2019, the first ever multi-state data breach lawsuit was filed in Indiana against Fort Waynebased Medical Informatics Engineering and its subsidiary NoMoreClipboard. Twelve states’ Attorneys General allege these companies failed to take adequate and reasonable measures to ensure their computer systems were protected,” resulting in a 2015 breach that gave hackers access to the personal healthcare information of 3.9 million US citizens. Does your company have the resources to defend against a multi-state data breach lawsuit? Source: https://www.theexpertinstitute.com/12us-states-join-forces-to-file-first-evermulti-state-data-breach-lawsuit/

All US states and territories have enacted a data breach notification law to protect their citizens from identity theft and financial fraud. The important aspect of these laws is that, in order to comply, your company does not have to maintain a location in a particular state, but only needs to have customers resident in that state. You will need to review each state data breach notification law to ensure each relevant aspect of your cybersecurity program complies. You should pay particular attention to your security policies, data loss detection practices, and incident response program. 1.7.4 Federal Enforcement The DOJ is responsible for enforcement of federal computer crime laws, prosecuting cases where the government has an interest. The DOJ’s Computer Crime and Intellectual Property Section (CCIPS) investigates and prosecutes cybercrimes referred by government agencies, the private sector, academic institutions, and foreign counterparts. 1.7.5 International Enforcement

International enforcement of cybercrime is predominantly accomplished through transborder law enforcement partners or task forces in cases of major cybercrime. In the event your organization is attacked by an international cybercrime ring, you will undoubtedly invest a significant amount of resources and time gathering evidence. Such was the case with Facebook’s 2012 cyberattack. In this example, the DOJ, FBI, and a cadre of international law enforcement agencies sought to take down an international cybercrime ring. Facebook’s security team provided assistance to law enforcement throughout the investigation by helping to identify the root cause, the perpetrators, and those affected by the malware used by the crime ring. However, merely having these laws on the books hasn’t made enforcing and prosecuting cybercriminals much easier. Pursuing cybercrime cases is exceedingly more challenging than pursuing traditional crimes because cybercrime lacks the specialized law enforcement resources and digital forensic techniques available for conventional crime. These resources are necessary to gather evidence to prove mens rea and actus reus.

27

1.8 Cybersecurity Law Jurisdiction Jurisdiction is the right to resolve a complaint, which means it is the burden of a plaintiff (party who initiates a lawsuit) to prove that a particular court has the authority to adjudicate the penalties of the offense. The origin of the attack and locations of the data and victims all play a role in determining jurisdiction. A further complication is that the jurisdictional venue must also have an appelate (appeal) court. Laws, enforcement, and penalties vary widely by jurisdiction depending or whether the case is a cybercrime or strict liability case. Not all venues have the same level of computer offense expertise, which could be reason enough to request a change of venue. A change of venue is simply requesting a different court handle the case based on that court’s expertise in computer crime litigation. Cybercrime cases are heard in the same court system as other criminal or civil cases. Figure 1-2 shows the jurisdictional boundaries where cybercrime cases would be heard.

Figure 1-2. Cybercrime Trial Courts. (By Tari Schreider, licensed under a Creative Commons AttributionNonCommercial-NoDerivitives 4.0 International License)

28

1.8.1 Challenging Jurisdiction You should create a matrix of the states and countries where your business operates and the locations of your service providers, as well as where your customers, suppliers, and data reside. Then, map all the related cybersecurity laws and regulations that apply to each location. This exercise will provide valuable insight to the rules and regulations to which your program should comply. Did You Know? On June 6, 2018 the U.S. Court of Appeals for the Eleventh Circuit found that the Federal Trade Commission’s (FTC) cease and desist order “mandates a complete overhaul of LabMD's data-security program and says precious little about how this is to be accomplished.” The court essentially erased the FTC’s order. Would your company fight in court a cease and desist order in relation to improving your cybersecurity program? Source: https://www.wileyrein.com/newsroomarticlesFTC_Rebuked_in_LabMD_Case_Wh ats_Next_for_Data_Security.html

In 2015, the US Federal Trade Commission (FTC) and Wyndham Worldwide reached a settlement over allegations that the company violated federal law regarding the protection of customer records. The agreement ended a four-year battle in which Wyndham challenged the FTC over its authority to pursue charges against businesses that fail to protect consumers from cyberthreats (Higgins, 2015). In return for the FTC dropping federal charges, Wyndham stopped its opposition to the FTC’s authority and agreed to improve its cybersecurity program and submit to oversight monitoring by the FTC. Challenging the jurisdiction at the state or local level is very different from challenging it at the federal level. Should you decide to challenge at the federal level, be prepared for a lengthy fight.

The company LabMD, a $4.6 million blood, urine and tissue testing company based in Atlanta, GA faced a similar disagreement with the FTC and tried to fight the FTC in court over its cease and desist order relating to a 2008 cyber incident. In 2008, a cybersecurity firm based in Pittsburgh, PA called Tiversa contacted LabMD stating that it had acquired a document containing confidential information on 9,000 patients. LabMD investigated and found that an employee (against company policy) was using a music file sharing product called LimeWire. The manager of the billing department had left the file-sharing software open where others had access to the patient records file. LabMd’s IT staff removed the software and searched various peer-topeer file sharing sites for evidence of the patient information, but found no evidence that anyone other than Tiversa had the file. Later, LabMD’s lawyer received a call from Tiversa’s lawyer saying they were concerned about being sued from the FTC for not reporting the incident (Lawrence, 2016). In 2010, the FTC’s Division of Privacy and Identity Protection got involved with LabMD and began an investigation. At the time, the FTC had brought more than 60 cases related to data security, all but LabMD settled with consent decrees. After numerous meetings between the FTC and LabMD, the FTC filled their suit in 2013. In 2014, LabMD closed its doors citing a drop in 29

business and spending hundreds of thousands of dollars on legal fees. A once thriving business was out of business following a data security breach investigation by the FTC. This story involves much more including accusations of coziness between the FTC and Tiversa, falsification of evidence and other misdeeds. Dune Lawrence’s April 25, 2016 article in Bloomberg entitled A Leak Wounded This Company. Fighting the Feds Finished It Off provides more on this story and will also provide you with interesting insights in how not to handle an FTC inquiry. TIP: If you are interested in seeing all cases where the FTC has or had cases related to provacy and security, go to https://www.ftc.gov/enforcement/cases-proceedings/terms/245 to learn more.

1.8.2 Extradition It is hard to instill fear in hackers when most come from countries that have no extradition treaty with the US. Of the over 70 nations that will not extradite to the US, the top two havens for hackers, China and Russia, are on the non-extradition list. In fact, the Russian constitution forbids the extradition of Russian nationals. So basically, a Russian hacker has complete impunity when it comes to hacking US companies, regardless of how much evidence the US may have on the individual. Even when an extradition treaty is in place, the principle of “double criminality” must be proved. In other words, the offense must be a crime in both the country seeking extradition as well as the nation where the crime occurred. Extradition cases are best suited for government cybercrime prosecutions in which your company may be a party, since the government has the resources and experience as well as the authority to extradite cybercriminals. Table 1-2 shows that there have been, however, a number of successful extraditions of cyber criminals to the US: Table 1-2. Top-10 Extradited Cybercriminals

Muhammad Fahd

Extradition Country Hong Kong

Peter Yuryevich

Spain

Aleksandr Musienko

South Korea

Cyber Criminal

Crime

Year

Paid insiders at telecommunications giant AT&T to plant malware and otherwise misuse computer networks to unlock cellphones. Operation of the Kelihos botnet, which was used to facilitate malicious activities including harvesting login credentials, distributing bulk spam e-mails, and installing ransomware and other malicious software. Partnered with overseas cybercriminals who had hacked into and stole funds from online

2019

30

2019

2019

Cyber Criminal

Extradition Country

Fabio Gasperini

The Netherlands

Joshua Samuel Aaron

Israel

Teodor Laurentiu Costea and Robert Codrut

Romania

Olayinka Olaniyi and Damilola Solomon Ibiwoye

Malaysia

Peteris Sahurovs

Poland

Djevair Ametovski

Slovenia

Hamza Bendelladj

Thailand

Crime bank accounts belonging to a large number of individual and corporate victims in the United States. Creation of a global botnet, and perpetration of a fraud in which bots were used to mimic “clicks” on website advertisements and obtain advertising revenue. Hacking into the networks of dozens of American companies, ultimately leading to the largest theft of personal information from U.S. financial institutions ever. Identified vulnerable computers in the U.S. and installed interactive voice response software that would automatically direct callers to a purported financial institution due to a problem with their respective financial account. Conspiracy to commit wire fraud, computer fraud and aggravated identity theft Created malware that caused users’ computers to “freeze up” and then generate a series of pop-up warnings in an attempt to trick users into purchasing purported “antivirus” software to fix the problems. Operation of “Codeshop,” a website created for the sole purpose of selling stolen credit and debit card data, bank account credentials and personal identification information. Developing, marketing, distributing and controlling “SpyEye,” a pernicious computer virus designed to steal unsuspecting victims’ financial and personally identifying information.

Source: US Department of Justice Office of Public Affairs Justice news search. TIP: To keep track of non-extradation countries check out the World Population Review site at http://worldpopulationreview.com/countries/countries-withoutextradition/ for an up to date list.

31

Year

2017

2016

2018

2018

2016

2015

2013

1.9 Cybercrime and Cyber Tort Punishment Punishment is two-fold: 1. Through the use of fines and incarceration to punish the perpetrators. 2. By punishing those who fail to protect (tort) their information and assets. Both of these are problematic due to the lack of uniform sentencing guidelines. Making the punishment fit the crime has been a long-standing principle in law with many precedents and sentencing guidelines for judges to follow. However, in the case of cybercrime, the complexity of the cybercrime makes sentencing offenders and companies challenging. 1.9.1 Cybercrime Punishment Did You Know? In 2016, Onur Kopçak, a 26-year-old Turkish hacker was sentenced to 334 years in prison for identity theft as well as mass bank fraud. He was arrested in 2013 for operating a phishing website that impersonated bank sites, tricking victims into providing their bank details including credit card information.

Only a small number of hackers are ultimately caught and prosecuted. Identifying, apprehending, and determining jurisdiction have all contributed to the low conviction rate. In fact, it is not unusual for cases to drag on for several years. Cybercrime punishment consists of all or some forms of incarceration, fines, community service, restitution to victims, and probation.

For example, consider the 2016 conviction of 24-yearold hacker Aleksandr Andreevich Panin, also known as “Gribodemon" and “Harderman,” who authored the Can your employees identify a Trojan malware called SpyEye. His malware, SpyEye, phishing site? was directly responsible for the theft of $500 million throughout the world beginning in 2009. Although Source: SpyEye was widely known and tracked, it took eight https://thehackernews.com/2016/01/h years to identify the author, prosecute, and sentence the acker-sentenced-prison.html cybercriminal.Vast disparities exist in sentencing physical versus virtual crimes. For example, Albert Gonzalez was the perpetrator of the TJX Company cyberattack, in which over 45 million credit and debit card numbers were stolen, resulting in $200 million in damages. If this had been a traditional crime with the physical cards stolen, he would have spent the rest of his life in prison. However, as this was a cybercrime, he was sentenced in 2010 to two concurrent 20-year terms with the likelihood of being set free in half that time for good behavior. 1.9.2 Cyber Tort Punishment At this point, two major questions emerge: •

How do you determine if an organization’s negligence in their computer security controls and their actions during an attack contributed to the harm? 32

•

Which standard should be used to determine how much security is enough?

A regulatory violation is relatively straightforward with published penalties based on the cost of disclosing confidential records and following a particular industry security standard. However, when it comes to negligence, someone must assign a value to the data. For example, the majority of data breach laws assess financial penalties based on data type, time to notify, or size of the violation. Penalties can run into the millions of dollars and, in cases of gross negligence, employees could be incarcerated. Negligence cases are more complex as parties can argue the value of the data and the impact on the victims. Also, arguments can be made on the adequacy of the security controls deployed. Wronged parties can sue companies for failing to maintain adequate controls to protect their information and assets or failing their duty to protect information. One such case occurred in 2014 when a US District Court judge in Minnesota set a groundbreaking precedent for companies by ruling Target Corp. could be sued for “failing to adequately defend” against a data breach. In this case, the court ruled that “Target’s actions and inactions – disabling certain security features and failing to heed the warning signs as the hackers’ attack began – caused foreseeable harm to Plaintiffs” and “Target’s conduct both caused and exacerbated the harm they suffered” (Burns, 2015). You can expect to see this precedent cited in many future cases. In a similar case, Sony Pictures Entertainment settled a lawsuit for $8 million when they could not prove they maintained adequate controls to protect employee information that was stolen by the Guardians of Peace hacker group (Pettersson, 2015). TIP: When cyberlaws are broken, someone is always going to be held liable and made to pay. In the case of a hacking incident, the hackers are the ones sought. In the event of a failure of duty, it may very well be your organization.

Summary By now you should have an appreciation for the need to interconnect the law with your cybersecurity program. As this chapter reveals, a cybersecurity program must provide a legally defensible position that your customer’s information is adequately protected and that any actions taken to stave off an attack do not unwittingly cause additional harm. It is also important to note that nuances of cyberlaw definitions matter to ensure that neither your security practices or the law subjugate one another. Having a working understanding of the fundamentals of cybersecurity law is a necessity for most managers today.

33

Self-Study Questions The following exercises will help you understand the foundation of cyberlaw. 1. Research cybercrimes that have occurred within your organization’s industry. Use these examples to build security awareness. 2. Document the cyberlaw resources available to your organization in the event of a data breach. This would include understanding the level of cyberlaw expertise of inside and outside legal counsel. 3. Meet with your organization’s incident response team to understand how cybercrimes would be handled. Pay attention to evidence preservation and chain of custody. Review your organization’s acceptable use policy to determine if cybercrimes consisting of cyber bullying, cyberextortion, etc. are included. 4. Meet with your organization’s security operations group to understand if current security products are configured to detect cyber tort offenses. 5. Create a contact list of crime enforcement organizations that you could call in the event of a cybercrime. 6. Validate the portions of your cybersecurity policies that address legal issues with your organization’s legal counsel. 7. Create a matrix of the states and countries where your business operates and the locations of your service providers, as well as where your customers, suppliers, and data reside. Then, map all the related cybersecurity laws and regulations that apply to each location. 8. Identify countries your organization conducts business where the US does not have an extradition treaty. Discuss with the security operations team whether these countries introduce a higher level of risk. 9. For each regulation to which your organization must adhere, document the enforcement capabilities of the respective regulatory body.

34

References Burns, T. (2015, November 19). $10m Target data breach settlement obtains final approval. Top Class Actions. Retrieved from http://topclassactions.com/lawsuit-settlements/lawsuitnews/237688-target-10m-setfinal-approval/ FBI Newark Division. (2010, September 24). Extradited Hacker Sentenced to 10 Years in Federal Prison for Masterminding First-Ever Hack Into Internet Phone Networks. Retreived from https://archives.fbi.gov/archives/newark/pressreleases/2010/nk092410.htm E.I. DuPont de Nemours and Co. v. Kolon Industries, Inc. (2011, September 21). Retrieved from http://tsi.brooklaw.edu/cases/ei-dupont-de-nemours-and-co-v-kolon-industries-inc Fosburgh, L. (1973, March 23). Chief Teller Is Accused of Theft Of $1.5‐Million at a Bank Here. The New York Times. Retrieved from https://www.nytimes.com/1973/03/23/archives/chief-teller-is-accused-of-theft-of15million-at-a-bank-here-teller.html Higgins, J. K. (2015, December 28). Major challenge to FTC's cybersecurity authority evaporates. E-Commerce Times. Retrieved from http://www.ecommercetimes.com/story/82914.html Kumar, M. (2018, February 27). Hacker Who Never Hacked Anyone Gets 33-Month Prison Sentence. The Hacker News. Retrieved from https://thehackernews.com/2018/02/malware-author-jailed.html Lawrence, D. (2016, April 25). A Leak Wounded This Company. Fighting the Feds Finished It Off. Bloomberg. Retrieved from https://www.bloomberg.com/features/2016-labmd-ftctiversa/ Mooney, J. (2018, December 3). Pennsylvania Supreme Court Holds Employers Have Duty to Protect Employee Data from Cyberattacks. Pennsylvania Bar Association Cybersecurity & Data Privacy Committee. Retrieved from http://cyber.pabar.org/index.php/2018/12/03/pennsylvania-supreme-court-holdsemployers-have-duty-to-protect-employee-data-from-cyberattacks/ Perlroth, N. (2017, April 21). Russian Hacker Sentenced to 27 Years in Credit Card Case. The New York Times. Retrieved from https://www.nytimes.com/2017/04/21/technology/russian-hacker-sentenced.html

35

Pettersson, E. (2015, October 20). Sony to pay as much as $8 million to settle data-breach case. Bloomberg Technology. Retrieved from http://www.bloomberg.com/news/articles/201510-20/sony-to-pay-as-much-as-8-million-to-settle-data-breach-claims Robinson, T. (2014, August 27). Former acting HHS cyber director convicted on child porn charges. SC Magazine. Retrieved from http://www.scmagazine.com/former-acting-hhscyber-director-convicted-on-child-porn-charges/article/368472/ UK News. (2019, June 10). Hacker sentenced to four years after cyber-attack on TalkTalk. Jersey Evening Post. Retrieved from https://jerseyeveningpost.com/news/uknews/2019/06/10/hacker-sentenced-to-four-years-after-cyber-attack-on-talktalk/ US Department of Justice, Office of Public Affairs. (2011, July 22). Hacker Sentenced in Virginia to 10 Years in Prison for Stealing 675,000 Credit Card Numbers Leading to $36 Million in Losses. Retrieved from https://www.justice.gov/opa/pr/hacker-sentencedvirginia-10-years-prison-stealing-675000-credit-card-numbers-leading-36 US Department of Justice, Office of Public Affairs. (2015, December 17). Operation software slashers: Six defendants plead guilty to $100 million software piracy scheme. Retrieved from https://www.justice.gov/opa/pr/operation-software-slashers-six-defendants-pleadguilty-100-million-software-piracy-scheme US Department of Justice, Office of Public Affairs. (2016, September 1). Romanian hacker “Guccifer” sentenced to 52 months in prison for computer hacking crimes. Retrieved from https://www.justice.gov/opa/pr/romanian-hacker-guccifer-sentenced-52-monthsprison-computer-hacking-crimes US Department of Justice, Office of Public Affairs. (2018, February 23). Arkansas Man Sentenced to Prison for Developing and Distributing Prolific Malware. Retrieved from https://www.justice.gov/opa/pr/arkansas-man-sentenced-prison-developing-anddistributing-prolific-malware Williams, K. B. (2015, September 16). Second Russian hacker pleads guilty in massive data theft scheme. The Hill. Retrieved from http://thehill.com/policy/cybersecurity/253904-secondrussian-hacker-pleads-guilty-in-massive-data-theft-scheme

36

Chapter 2

Overview of US Cybersecurity Law

In the last chapter, we covered how to define cybercrime as well as basic elements of criminal and civil law. We even looked at some infamous cybercriminals who were caught in the act and prosecuted to the full extent of the law. In this chapter, I will build on these concepts to help you understand your legal obligations to duty and standard of care as an employee or manager at your company. Cybersecurity programs have procedures to ensure information and asset protection instructions are predictably and repeatedly followed. Cybersecurity law is no different; the law is very procedural with precise requirements for how a criminal or civil case is conducted. Beginning with discovery, continuing through evidence gathering, and ending in the submittal of documents to a court, every step is a highly controlled procedure. Your understanding of this process will allow you to align existing cybersecurity practices properly.

This chapter will help you to: • •

•

Accept that as a manager or employee, you have a legal duty to act reasonably and responsibly in the protection of assets and information. Apply the legal rules of procedure to improve the effectiveness of your cybersecurity program. Identify which cybersecurity laws have the potential to impact your cybersecuity program. Arrive at legal strategies to handle a cybersecurity dispute outside of court.

37

2.1 Brief History of Resolving Cybersecurity Disputes Remember sitting in history class and asking yourself, why does this matter? One thing that history has taught us is that we ignore its lessons at our own peril – and such omissions will come back to haunt us, resulting in repeating the failures of the past. It is hard to think of computer security as even having a history; after all, the history of law began in 451 BCE in ancient Rome with the Law of the Twelve Tables. Although short in comparison, computer security does have a rich history, but I doubt many of you were around when the first legal computer crime language was adopted a little over 60 years ago within the Atomic Energy Act. The Act included passages covering “restricted data and unathorized persons.” This initial language evolved into a robust legislative framework that defines today’s cybersecurity law. Cybersecurity law is rapidly changing; in fact, according to my research, more cybersecurity legislation has been proposed and passed in the past few years than the previous 30 years. By learning a little about the history cybersecurity law, you will gain an understanding of how its legal framework was forged as well as how advances in technology have driven its development. 2.1.1 Computer Crime Laws in the Public Sector It was the 1954 Atomic Energy Act that first made unauthorized access and use of restricted information a crime. One of the earliest recorded cases of computer crime occurred in 1967, when a Texas Instruments employee stole 59 computer programs by photocopying the coding instructions with the intent to sell them to a competitor for $5 million dollars. In the absence of any state or federal computer crime laws at the time, the state of Texas prosecuted and convicted the employee under the state’s property theft statute (Hancock v. State).

Did You Know? In 2015, Pedro Leonardo Mascheroni, a former Los Alamos National Laboratory scientist was sentenced to 60 months in prison for violating the “restricted data” clause of the Atomic Energy Act. Which legal statute provides the best coverage for computer crimes against your company? Source:

Efforts to draft the first real computer crime legislation https://www.justice.gov/usaodid not begin in earnest until 1976, when a report to the nm/pr/former-los-alamos-nationalUS Congress titled Computer-Related Crimes in laboratory-scientist-sentenced-prisonatomic-energy-act Federal Programs documented 69 instances of improper use of federal computers resulting in over $2 million in losses – $15+ million in 2020 dollars (US General Accounting Office, 1976, p. 1). The resulting legislation was the Federal Computer Systems Protection Act of 1979. What was lacking, however, was legislation to address computer offenses in the private sector.

38

2.1.2 Computer Crime Laws in the Private Sector Did You Know? Robert Morris is a tenured (2006) professor at the Massachusetts Institute of technology (MIT) and employee at the Computer Science and Artificial Intelligence Laboratory (CSAIL). In 2019, Morris was elected to the National Academy of Engineering. He has an AB and PhD in Computer Science from Harvard. Morris is also a retired founder of Y Combinator, a Silicon Valley tech venture capital firm. This just goes to prove, there can be life after hacking if you go straight.

have become much harsher.

Protection for the private sector would be addressed in 1986 with the passage of the Computer Fraud and Abuse Act, which made it a federal crime to access without authorization any computer to perpetrate a fraud or create a loss of value more than $5,000. That same year, the first real Internet crime was committed when a graduate student at Cornell University, Robert Tappan Morris, launched a worm that caused significant interruptions across large portions of the Internet. In 1990, Morris became the first individual to be convicted under the Computer Fraud and Abuse Act. His conviction was affirmed upon appeal in 1991, and he served his sentence of three years, which consisted of probation, 400 hours of community service, a fine of $10,050, and the costs of his supervision (US v. Robert Tappan Morris, 1991). As you will read later, penalties

2.1.3 Application of Laws to Cybersecurity The application of civil law to cybersecurity cases would be tested in 1997 with the Cyber Promotions, Inc. (“Cyber”) v. Apex Global Information Services, Inc. (“Apex”) lawsuit. Here a federal district court ruled that Apex did not apply reasonable security controls to deter or prevent Internet attacks against its customer (Cyber) as they had with other clients. The Apex remedy had been simply to disconnect Apex from their network, which caused foreseeable harm to Cyber’s business. The court’s ruling further noted that other Internet service providers (ISPs) were able to apply a standard of care to prevent similar attacks and that Apex failed in its duty to Cyber (Cyber Promotions, Inc. v. Apex Global Information Services, Inc.). The court blamed Apex's conduct for its decision (Le, 1998). This ruling set the precedent for lawsuits to be based on a computer security duty of care. As computer hackers, nation-states, and organized cybercrime rings emerged, the level and sophistication of methods increased, causing significant financial losses and damage to critical infrastructure. This heightened state of criminal activity prompted the US government to amend existing computer crime legislation aggressively. However, when amendments no longer provided a deterrent, and cybercrime continued to spiral upward, the government passed significant pieces of legislation in 2014 to 2015 to fund, expand, and staff initiatives to combat cybercrime. This legislation included the Cybersecurity Enhancement, National Cybersecurity Protection, Federal Information Security Modernization, and Federal Computer Security Acts that I discuss later. 39

2.2 Alternative Dispute Resolution (ADR) Civil cybersecurity law relates to matters and disputes between companies where the injured party believes the other party failed in its obligation to protect the injured party’s information and interests. Unlike cybercriminal law where the government is responsible for proving the cyber offense, civil cyberlaw requires the injured party to enforce their rights under the civil law by suing the company that caused the harm. Typically, for a lawsuit to have merit, a basis should be established on either a contractual dispute with a failed obligation (contract law) or a failure of one of the parties to exercise reasonable behavior (tort law). But what are the options if you don’t want to go to court? You have some options to resolve a cybersecurity dispute before it reaches a courtroom. These are requests to end the dispute before the trial begins: •

•

•

Mediation Law. This is a form of alternative dispute resolution (ADR) where all parties to a potential lawsuit meet with a neutral mediator who guides a process of negotiation to reach a mutually agreeable settlement. The process is voluntary, and the results are not binding. Arbitration Law. Another form of alternative dispute resolution is where adversarial parties agree on a neutral arbitrator to resolve the matter in a quasi-legal forum. Arbitration can be voluntary or compulsory. Instances of compulsory arbitration are where one of the parties is required contractually or by law to participate in the arbitration. Arbitration results can be binding or non-binding. For non-binding results either party is free to reject the decision and request a trial. Dispositive Motions. Once a lawsuit is filed, lawyers file requests or arguments for an action by the court to make a decision before the lawsuit moves forward. Motions to dismiss, in which an attorney argues the case is without merit or standing, are among the most common.

Figure 2-1 provide a summary and comparison of the types of dispute resolution options available.

40

Figure 2-1. Dispute resolution comparison model.

2.1 Cybersecurity Case Mediation Law Mediation and arbitration offer an alternative to traditional litigation. In fact, judges often recommend using either or both in cyberlaw tort cases when they order parties first to try to reach a negotiated settlement. An important distinction here is that mediation tends to be nonbinding, whereas arbitration is typically binding. In practice, you will find that mediation is rarely used in cybercriminal cases. However, it was ordered by a US district judge in 2000 in the prosecution case of a former Los Alamos physicist who stole computer tapes containing classified nuclear weapons data from a secure computer and refused to disclose what he did with the tapes (Pincus & Loeb, 2000). The precedent has been set that you or an employee of your company could be required to participate in mediation when a judge deems the case is at an impasse. You will find that the legal process tends to be iterative, beginning with mediation as a low-risk approach to solving computer security disputes while preserving your rights for arbitration or a more litigious approach later.

41

TIP: When mediation or arbitration is required by contract, you need to exhaust all avenues before a lawsuit is filed. In numerous cybersecurity cases, courts have summarily ruled to dismiss the case when required mediation or arbitration attempts have not been exhausted.

2.2.2 Cybersecurity Case Arbitration Law Many business disputes are resolved through arbitration rather than pursuing an expensive lawsuit. Many business contracts require the process of arbitration and cybersecuriy contracts are no different. It will be in your best interests to understand clearly the rules of arbitration as well as which contracts your company is a party to that require arbitration. You should begin by reviewing the contracts your company has with cybersecurity service providers to understand clearly the process to resolve a dispute. Arbitration clauses will specify whether they are binding or nonbinding and you should know the difference of both.

Did You Know? In February of 2019, the federal judge in the California filed MyFitnessPal Data Breach lawsuit was sent to arbitration. The judge ruled Under Armour, the parent company, “clearly and unmistakably delegated the arbitrability issue to the arbitrator,” and granted a motion to compel arbitration filed by defendant Under Armour Inc. Do your company’s contracts

Computer security-related arbitration cases are specify arbitration? increasing as a growing number of companies seek to ward off class action lawsuits resulting from a Source: data breach. An arbitration clause in a business https://www.lexology.com/library/d contract aims to eliminate a class action lawsuit by etail.aspx?g=2629d4eb-1bdb40ad-8ef0-364b5185f5f6 forcing the parties to arbitrate their grievance. However, in 2012 a federal court struck down Zappos.com from forcing dozens of class action lawsuits into arbitration based on the arbitration clause contained in their user agreement. The court ruled that Zappos.com arbitration clause was deceptive and required users to search for the clause making it obscure (Goldman, 2012). The lesson here is that you cannot hold customers accountable for an agreement they were deceptively required to acknowledge. You should review these arbitration clauses with your legal department to ensure that all clauses are clear and that proof of customer acknowledgement is maintained as a vital record. Arbitration is used in data breach, failure to exercise adequate security, and even insider data theft cases. Such was the case in 2016 between Wells Fargo and Union Bank of Switzerland (UBS) when $1.1 million was awarded to UBS in an insider data theft case. An arbitration panel ruled that a departing UBS employee stole confidential electronic information over a period of months before joining Wells Fargo (Sprouse, 2016). What could have dragged on for many years in a lawsuit was efficiently handled through arbitration. 42

If the parties agree to binding arbitration, the ruling is final and without appeal. Although, as discussed above, while arbitration is typically binding, you do have the option of nonbinding arbitration. Nonbinding arbitration allows the parties to escalate their grievance by instituting a civil lawsuit. Once you have agreed to resolve any contractual disagreements through arbitration – binding or nonbinding – domestic (US) dispute resolution typically falls to the American Arbitration Association (AAA); transnational disputes are handled by the International Chamber of Commerce (ICC); and disputes within the financial industry are managed through the Financial Industry Regulatory Authority (FINRA). Unlike civil cyberlaw court proceedings, arbitrations are less about procedures and motions and more about facts. Arbitration cases proceed quickly to trial on the merits of their case where the parties present the facts of the accusation or defense. • •

Nonbinding arbitration results in letters of intent or memorandums of understanding to clarify an existing or proposed legal or contractual agreement. Binding arbitration is a judgment that is enforceable by law if not adhered. Arbitration cases can be heard by a single arbiter (judge) or a panel of arbitrators similar to a jury.

2.2.3 Cybersecurity Case Dispositive Motion Law Did You Know? On June 4, 2019, A Cook County Court judge dismissed without prejudice a proposed class action lawsuit accusing Eventbrite, Inc. and Ticketfly LLC of shoddy cybersecurity and failing to inform users they had been hacked after a data breach. The judge ruled the complaint failed to allege a concrete injury and that future harm would not suffice. Would you know how to defend against a class action lawsuit? Source:

https://www.law360.com/articles/1166 054/judge-dismisses-class-action-

As discussed earlier, dispositive motions are legal motions which seek to dispose of all or parts of a lawsuit by dismissing all or some claims of the lawsuit. Simply put, you petition the court to dispose of aspects or claims of the case based on a particular argument. You could request your attorney to request the entire case be dismissed, or a portion of the case. This type of motion can also be used to request the judge to issue a summary judgment or rule immediately based on the facts presented. You would submit these motions before the trial is scheduled to commence. You may also use motions to resolve issues related to the types of evidence that can be introduced. The following are some of the ways that cybersecurity cases have been dismissed:

over-ticketfly-data-breach

• Failure to State a Claim Upon Which Relief May Be Granted. Here the facts described in the lawsuit do not actually state a legal claim for relief. An example of this would be the 2008 case of Whalen v. Michaels Stores. In this case, the plaintiff was unable to prove the theft of their credit card produced any damage or harm. A judge in the US District Court of Eastern New York dismissed the case (Siegel, 2016). 43

•

•

•

•

Lack of Harm. In January 2016, a Minnesota US District Court granted SuperValu, Inc. a motion to dismiss when plaintiffs were unable to prove actual loss or harm. Claims of potential future harm were dismissed (Tuma, 2016). Lack of Personal Jurisdiction. Courts will not hear a case where it does not have jurisdiction or the legal power over all the parties in the dispute. An Illinois federal judge ruled Facebook could not be sued under Illinois’ Biometric Information Privacy Act (BIPA) because Facebook does not specifically target or does not have enough connections with the state (Davis, 2016). Lack of Standing. An Eastern District of Missouri federal judge dismissed the Scottrade, Inc. data breach lawsuit in July of 2016 when plaintiffs failed to prove standing. The judge stated that even after two years, the plaintiffs had not experienced a single case of identity theft (Aubin, 2016). Lack of Subject Matter Jurisdiction. This is an argument that the court where the lawsuit was filed lacks the authority to rule on the case. In October 2013, a federal judge dismissed a data breach case against LinkedIn (Vaas, 2013). In order to bring a case in federal court, a harm must be concrete and particularized, as well as actual and imminent. The plaintiffs could not prove either, leaving the judge to rule that no case was in controversy, resulting in the ruling that a lack of subject matter jurisdiction existed.

Table 2-1 shows a few of the more notable and diverse data breach classaction lawsuits that have been dismissed. Table 2-1. Data Breach Class Action Lawsuits Dismissed Company Equifax

Status

Origin

Dismissal Motion Denied in Part, Granted in Part

In 2017, hackers had breached its consumer database and accessed millions of records containing personally identifiable information.

Complaint

Dismissed

Year

• Data breach itself 2019 • Defendants made did not, by itself, multiple misleading created a duty to statements and disclose. omissions about the • Sarbanes Oxley sensitive information in internal control Equifax’s custody; about certifications to be vulnerability of the inactionable as company’s systems to they don’t relate to cyberattack; and about data security. the company’s compliance with data protection laws. • Executives sold stock before share price drop occuring upon breach announcement.

44

Company

Status

Origin

Complaint

Dismissed

Year

• Invasion of 2019 Attackers gained • Unnecessarily delayed privacy. access to email the issuing of breach • Misrepresentation. accounts notification letters for two • Violations of the containing the months, in violation of state data breach protected health HIPAA Breach notification statute information (PHI) Notification Rule and consumer of 16,429 patients requirements. fraud statutes. using a phishing • Too little was done to attack. help victims of the breach. Breach victims were not offered complimentary credit monitoring or identity theft protection services. • Plaintiff did not Suffered two 2019 • Expenditure of time suffer harm even cyberattacks in monitoring his account. though he incurred 2014 that • The single fraudulent a fraudulent compromised charge to his credit card. charge to his customer credit • Effort expended credit card. and debit card replacing his card. information.

UnityPoint Health

Partially Dismissed

SuperValu Inc.

Dismissed

eBay

Dismissed

2014 data breach that exposed encrypted passwords and personal information for 145 million users.

• Economic damages. • Actual identity theft. • Damages resulting from having to mitigate an increased risk of identity theft, as well as lost time.

Uber

Dismissed

Someone used a security key to improperly download 50,000 drivers’ names and license numbers in 2014.

• Poor network security. • Allowed login credentials for their driver database to be publicly accessible for months before and after the breach,

45

• Plaintiff does not have adequately alleged Article III standing (no harm proved).

• Plaintiff did demonstrate that Uber’s conduct regarding the breach had caused injury.

2015

2015

Company LinkedIn

Status Dismissed

Origin

Complaint

Alleged that • Violated provisions of LinkedIn violated the Stored privacy rights Communications Act under the SCA (SCA). when the company illegally transmitted his personally identifiable browsing history to advertisers, Internet marketing companies, data brokers and web tracking companies.

Dismissed • Cannot be sued under the SCA as company is neither a remote computing service (RCS) nor an electronic communication service (ECS).

Year 2012

2.2.4 Cybersecurity Case Summary Judgments You may be involved in a lawsuit in which both the plaintiff and the defendant do not dispute the facts of the case. And, even if the facts were in dispute, the overwhelming case law precedent would result in a ruling in favor of the party requesting Did You Know? the summary judgment. For example, if your company In the data breach case, Beck v. were sued in a class action lawsuit, you may agree that McDonald, the U.S. Court of Appeals the breach actually occurred as a result of your for the Fourth Circuit issued a databases being compromised and that customer data summary judgement when it found no was stolen. No argument there, but your attorney could allegation or evidence that confidential information was targeted or had been ask for a dismissal of the case because the plaintiffs did used fraudulently. not demonstrate that they lost any money. Based on the case law of “standing,” the judge would have no option Which legal statute provides the but to dismiss the case. Another example may be that best coverage for computer crimes both parties concede to the facts of the data breach and against your company? the plaintiffs can prove a loss. Thus, the plaintiffs could Source: ask for a summary judgment on the amount of their https://www.dataprotectionreport.com/ damages. In this example, the judge could rule 2017/04/fourth-circuit-weighs-in-onimmediately and award a financial judgment. what-constitutes-injury-in-fact-in-databreach-cases/

Through the use of the dispositive motions, only about 5% of all lawsuits go to trial. The impotant point for you to remember here is that if you utilize available out-of-court settlement strategies, a lawsuit need not be a long protracted and expensive event.

46

2.3 Successful Data Breach Lawsuits Some companies are lurled into a false sense of security when they read about the many reported data breach-related lawsuits that have been dismissed. However, thinking that your future case could be just as easily dropped would be ill advised. Table 2-2 shows example of succesful data breach settlements where the plentiff showed standing and a compelling argument to force a settlement. Table 2-2. Major Data Breach Settlements Company

Awarded Damages

Year

Equifax

$671 million settlement to resolve claims that it failed to properly safeguard consumers’ information.

2019

Uber

$148 million settlement with 50 U.S. states and Washington, D.C., for failing to disclose a massive data breach in 2016 which exposed personal data from 57 million user accounts.

2018

Anthem, Inc.

$115 million settlement after a breach compromised 80 million customers’ private data.

2017

Tampa General Hospital

Settled to pay the plaintiffs $10,000 in damages and up to $7,500 to cover the plaintiffs’ attorney fees and litigation expenses.

2016

Home Depot

Agreed to pay $19.5 million to consumers affected by its 2014 data breach ($13 million to reimburse shoppers for losses and $6.5 million toward identity protection services). A year later, Home Depot agreed to pay $25 million to several dozen banks and credit card companies.

2016

Advocate Health Care

Agreed to a $5.5 million settlement with the U.S. Department of Health and Human Services (HHS) for multiple potential violations of the Health Insurance Portability and Accountability Act (HIPAA) involving electronic protected health information (ePHI)

2016

Stanford University Hospital and Clinics

Agreed to pay $4 million to settle a class action lawsuit involving 20,000 emergency room patients’ data made available in 2010 on a third-party student homework website, which violated California’s well-known Confidentiality of Medical Information Act (CMIA).

2014

Sony

Agreed to settle a class action lawsuit over the 2011 breach of its PlayStation Network, which exposed tens of millions of user names, addresses, passwords and credit card numbers. Money to be paid out in the form of games.

2014

Target

Agreed to $18.5 million to 47 U.S. states and the District of Columbia for the company's massive 2013 data breach. Target reported that hackers stole data from up to 40 million credit and debit cards from shoppers who visited its stores in the 2013 holiday season.

2013

47

2.4 Duty of Care Doctrine In cybersecurity tort law, the duty of care doctrine is a legal obligation which is imposed on an individual or company to adhere to a standard of reasonable care while entrusted with safeguarding personal or confidential information. It is important that you understand the level of seriousness and fiduciary responsibility incumbent upon your organization. If your role includes direct responsibility for protecting information and assets, you can now be held personally liable for your actions. Your company needs to be fully aware of the foreseeable harm that can occur from cyberattacks. In the context of cybersecurity law, your duty of care is imposed by data breach laws, computer security regulations, or federal computer crime laws. Obviously, you will face the question of how “foreseeable” and predictable an attack might be. For example, courts will likely expect companies to foresee harm in cases where a widely known vulnerability was exploited despite existing patches or safeguards. In cases of a “zero-day attack,” where a previously undisclosed vulnerability was exploited by hackers to steal data, courts will likely be more understanding in determining adherence to your duty of care. TIP: Foreseeable harm can be determined through the results of your company’s risk assessment program. Extend the likelihood and projected impact of threat events to foreseeable harm to customers. Courts have been far less forgiving in arguments against foreseeable harm related to publicly known exploits or security holes.

In 2014, Luis A. Aguilar, the commissioner of the Securities and Exchange Commission (SEC), stated that “there can be little doubt that cyber-risk also must be considered as part of a board’s overall risk oversight” (Aguilar, 2014). The inference is board members of public companies have a fiduciary responsibility to shareholders and investors to oversee cybersecurity efforts. In 2016, bill H.R.5069, the Cybersecurity Systems and Risks Reporting Act, was introduced as an upgrade to the Sarbanes-Oxley Act to include provisions for cybersecurity. The bill would mandate public companies to expand internal controls and disclosures to include cybersecurity. The act also requires the organization to provide the names of a principal cybersecurity systems officer and at least one cybersecurity expert. Your obligations under the duty of care doctrine cover a broad spectrum, where you are required to provide reasonable security to protect information and honestly and openly disclose material breaches in security. Obligations under the duty of care include: • • • •

Duty to provide reasonable security. Duty to reveal security breaches. Duty to accurately disclose safeguards. Duty to protect information. 48

2.4.1 Duty to Provide Reasonable Security When a direct or implied contractual relationship exists, your company has a duty to protect customer interests and their data. Think of reasonable care in terms of what a prudent person would do under the same circumstances. Once you have identified foreseeable threats, your organization should provide the security controls and policies considered reasonable to protect customers. Courts have interpreted this protection to include actions that are considered commercially sensible to defend against cyberattacks adequately. In the context of cybersecurity, “commercially reasonable” means that your efforts to protect data need to be consistent with past practices of similar companies with similar risks. For example, if you are in an industry in which generally accepted security practices for protecting data include data encryption, and a suitable number of data encryption products and standards are available, then the courts would Did You Know? expect you to provide a similar level of protection. Courts will look at nationally or internationally accepted cybersecurity standards to define your duty of care. Two such standards are ISO/IEC 27001 Information technology – Security techniques – Information security management systems – Requirements (from the International Organization for Standardization), and NIST Special Publication 800-53 – Security and Privacy Controls for Federal Information Systems and Organizations (from the National Institute of Standards and Technology). 2.4.2 Duty to Reveal Security Breaches

On April 24, 2018, Altaba, formerly known as Yahoo, entered into a settlement with the Securities and Exchange Commission (the “SEC”), pursuant to which Altaba agreed to pay $35 million to resolve allegations that Yahoo violated federal securities laws in connection with the disclosure of the 2014 data breach of its user database. This was the first time a public company was charged with failing to disclose a cyber breach. Do you know all the data breach

If your organization experiences a breach in data security, notification requirements? your duty of care requires that you disclose the fact to your Source: customers. You have this duty because of state data breach https://corpgov.law.harvard.edu/2018/ laws that specify a clear duty to notify customers that their 05/17/failure-to-disclose-adata has been compromised as well as to let them know cybersecurity-breach/ what security controls were in place at the time of the breach. You also have a responsibility based on common law (previous court cases) principles which govern negligence liability to ensure that your company does not ignore obvious threats or harbingers of an attack. In addition, public companies are required to disclose cybersecurity breaches based on the SEC’s Division of Corporate Finance document CF Disclosure Guidance: Topic No. 2 – Cybersecurity. This document specifies the disclosure obligations of public companies relating to cybersecurity risks and cyber incidents. This document also requires public companies to refer to cybersecurity risks and cyber incidents as part of their risk. 49

Some of your primary disclosure obligations include: • • • •

Disclose the risk of cyber incidents as a business risk factor. Disclose conclusions on the effectiveness of cyber controls. Disclose the financial effect of a cyberattack. Disclose loss contingencies of the effect of a cyberattack.

The SEC cybersecurity disclosure document also provides guidance in how companies can capitalize their investments in cybersecurity; provides customers with incentives to stay with them following a cyberattack; and tells how to account for losses incurred from a breach of security. I recommend you take a closer look at the Accounting Standards Codification (ASC) in which the accounting profession has codified the standards established by the generally accepted accounting principles (GAAP): •

•

•

ASC 350-40 – Internal-Use Software: This rule may allow you to expense some of the cost of cybersecurity software used to protect internal systems. This would include intrusion detection systems, firewalls, anti-virus, and other types of security software. ASC 605-50 – Customer Payments and Incentives: This rule may allow you to expense the cost of data breach customer retention expenses consisting of credit monitoring subscriptions, customer security software, and other qualifying expenses. ASC 450-20 – Loss Contingencies: This rule may allow you to deduct probable and reasonably estimated losses resulting directly from the cyberattack. TIP: You should have a discussion with your company’s chief financial officer (CFO) on how these accounting rules may be used in financial support of the cybersecurity program. Expenses could cover capital investments as well as upgrades in cybersecurity technologies.

What happens if your organization’s chief information security officer (CISO) is at odds with executive management over the disclosure of a security breach? In the case of Yahoo!’s data breaches, reports suggested that Yahoo!’s CISO, Alex Stamos, had tried aggressively to get management to act more strongly regarding their data breaches, but he had not been successful. He ultimately resigned in 2015, assuming the role of CISO at Facebook (Swisher & Wagner, 2016). TIP: Carefully document your communications with senior management regarding the reporting of data breaches to ensure that you are adhering to your duty to disclose. Advise management formally of the legal requirements to disclose security breaches. Such documented communication provides a level of protection for you in the event a tort case is filed against the organization.

50

2.4.3 Duty to Accurately Disclose Safeguards You have a duty enforced by the law of misrepresentation, which imposes a general obligation to provide accurate statements. Companies have been sued for “puffing up” the types of cybersecurity controls deployed to protect customer information. Misrepresenting your company’s cybersecurity defense capabilities is a serious breach of duty. In one such example, Columbia Casualty, a division of CNA Financial Corporation, sued its former client Cottage Health System to recover a $4.125 million claim payout made as a result of 2014 class action lawsuit. After CNA funded the settlement, they asserted that Cottage Health System misrepresented their security controls on their application under the policy clause of “failure to follow minimum required practices.” A California federal court subsequently dismissed the case without prejudice (meaning CNA can refile later) because CNA failed to exhaust all their non-judicial remedies before filing suit (Anderson, 2015). CNA will continue to pursue the recovery of their payout based on the primary case fact that Cottage Health System failed to encrypt their data as declared on their policy application. What makes this case particularly interesting is the full legal gambit of legal actions. The first was a class action lawsuit brought by those affected by the data breach; the second was the contract dispute over the insurance claim; the third was a lawsuit following the failure to resolve the contract dispute; and the last was arbitration. The point here is that this issue could result in a drawn-out legal battle lasting several years. You will need to ask yourself if your company’s data protection disclosure accurately reflects how you protect your customers’ interests and data. TIP: Perform an assessment of your company’s security and data privacy statements regarding your cybersecurity program to validate the accuracy of claimed assurances and data protection safeguards.

2.4.4 Duty to Protect Information If your company is contracted to process or store customer information, you have a legal duty to exercise due care for safeguarding confidential or personal information according to common law. Some statutes specify rights for relief or form of compensation if that duty is not upheld. Even if there is no implied or written form of compensation for a data breach, the affected party may still be able to bring a tort suit based on common law (precedent) legal theories that establish a duty to protect information. Under common law, if you have a contractual relationship with a party, you may be viewed as having the duty to safeguard information from cyberattacks because your company is in the best position to take the necessary measures to protect data. In addition, if a contract exists between two parties, the customer can claim negligence. Make sure you thoroughly understand the

51

contractual relationship that exists between your company and your customers and ask yourself if what you are doing is prudent. 2.4.5 State-Based Duty of Care Laws Some states have passed duty of care laws to compel businesses to safeguard customer interests and data. Minnesota passed the first Plastic Card Security Act in 2007. This was the first time a state instantiated into law an industry regulation – Payment Card Industry Data Security Standard (PCI DSS). The act holds companies handling credit and debit card data legally liable for implementing PCI DSS. In 2010, Nevada (Stat. Ch. 603A) and Washington (HB 1149) joined Minnesota with their versions of payment card data breach laws. Other states have incorporated this type of protection in their existing data breach laws as well. You will need to identify any duty of care laws passed in the states where your company operates.

2.5 Failure to Act Doctrine After reading about your duties of care, you should have a great idea of your legal obligations to protect information, but what about a failure of care? Your failure to care translates legally to failure to act. Your failure to act is just as important as your duty of care. The differences may appear subtle, but they are important. In failure to act or warn, you have a responsibility to take an action that either avoids further harm or prevents harm. When no established duty of care exists, you may still have an obligation based on your vantage point to reduce or prevent harm. You and others may feel uncomfortable with this doctrine, which is exactly why Good Samaritan laws exist. Obligations under the failure to act doctrine include: • • •

Failure to act duty. Failure to warn duty. Good Samaritan law.

2.5.1 Failure to Act Duty Failure to act rules require the exercise of reasonable care to avoid, minimize, and not exacerbate the damages caused by a cyberattack. For example, if you have a contractual obligation to secure your customers’ data or provide a secure method to share digital information, you have established a pre-existing legal duty to act. There also needs to be a connection between the failure to act and the harm caused. Let’s put this in concrete terms. If a company chooses not to encrypt personally identifiable information (PII) on an SQL server which does not have the Microsoft recommended security patches, and hackers gain access exfiltrating all the PII and then steal the identity of your customers causing them financial loss – that’s failure to act. A claimant in that example would argue that your company failed to procure appropriate cybersecurity safeguards, which increased the risk of harm in light of your knowledge that unpatched computers represent a significant risk.

52

2.5.2 Failure to Warn Duty A failure to warn duty involves someone or some entity knowing of harm, yet choosing not to disclose that danger to protect others. Take for instance the case of Jane Doe No. 14 v. Internet Brands, Inc., DBA Model Mayhem. In 2011, a model went to Florida for an audition with an alleged talent scout found on the website modelmayhem.com. The model was drugged, raped, and filmed at a fake audition. The model sued Internet Brands, Inc., the parent of Model Mayhem; however, the case was dismissed by the Ninth District Court on the grounds that the claim was barred by the Communications Decency Act (CDA), 47 USC. § 230(c) (2012). CDA states that companies cannot be held accountable for the actions of their customers using their websites. That ruling was overturned in 2016 when the judge ruled that the Jane Doe case did not violate CDA and that Internet Brands does have a duty to warn based on their knowledge of rape schemes perpetrated on their website and the special relationship they hold with their customers (Tung, 2016). This case is now going forward. The outcome of the case could forever change the landscape of how website service companies claim CDA as mitigation of their liabilities. Internet companies such as Google commonly apply duty to warn by issuing warnings to their users about specific cyberattacks. The US government also recognized a duty to warn in a July 2015 publication, which said, “Duty to Warn means a requirement to warn US and non-US persons of impending threats of intentional killing, serious bodily injury, or kidnapping.” The document also notes, “This includes threats where the target is an institution, place of business, structure, or location” (Office of the Director of National Intelligence, 2015, pp. 1-2). Whether these specified warnings are interpreted to include cyberattacks warnings is yet to be seen; however, as the intelligence community is comprised of 17 agencies and organizations, all with a cybersecurity component, it is widely assumed that it won’t be long. One of the most visible examples of duty to warn involves a security flaw discovered in 2015 by white hat hackers who use their abilities for good, ethical, and legal purposes of exposing computer security flaws. When hackers demonstrated that they could control a broad range of Jeep safety-critical vehicle systems from up to 10 miles away – including cruise control, brakes, radio, windshield wipers, and transmission – it led to the July 2015 massive recall of 1.4 million Fiat Chrysler vehicles (Ungerleider, 2015). The hack prompted the introduction of H.R.3994 – SPY Car Study Act of 2015. The Fiat Chrysler recall is a great example of a company properly exercising their duty to warn. To determine if your organization has a duty to warn, sit with your legal counsel to consider carefully the relationship you have with your customers and to determine if your company’s operations have a known way of causing harm. 2.5.3 Cybersecurity Good Samaritan Law Most of us have heard of Good Samaritan laws that offer legal protection to those who aid those whom they believe are injured or at peril. The lack of some type of cybersecurity Good Samaritan law is a top reason that companies cite for not readily sharing cyber threat information 53

with other organizations or the government. That excuse may no longer apply with the passage of the 2016 Consolidated Appropriations Act, which contains an amendment for creating a voluntary cybersecurity information sharing process within the Department of Homeland Security (DHS). Within the act (Section 105) is a provision to promote cybersecurity information sharing by removing the liabilities for companies sharing threat and vulnerability information. Extending liability protection to private entities for sharing cyberattack information essentially elevates this act to a cybersecurity Good Samaritan law. One other important aspect of this act is that information shared with the government is exempt from the Freedom of Information Act, meaning others cannot reverse engineer or otherwise learn about what you shared. To learn more about S.754 - Cybersecurity Information Sharing Act of 2015, read more at https://www.congress.gov/bill/114th-congress/senate-bill/754/text.

2.6 Reasonable Person Doctrine In tort cases, when compared with others in your field or industry, you will be expected to exercise average care, skill, and judgment in the conduct of your duties. Managers of cybersecurity (as well as all company officers) have an obligation to protect information and assets. Therefore, it is important that you understand the doctrine of the standards of care of a “reasonable person.” In a cybersecurity tort case, the standard of care is what separates a negligent act from an accident. Neglecting the proper standard of care to protect information and assets enables the perpetrator to be sued for negligence. Your actions during and after a cyberattack will be compared to what a reasonable person would do in a similar situation. Juries will evaluate your conduct considering your knowledge level as well. TIP: If you hold one or more security certifications, you will be deemed a security expert and held to a higher standard of conduct. You would be expected to know and follow industryaccepted cybersecurity standards and provide minimum protections required under the law.

An excellent example of how industry knowledge can be used to claim negligence is found in the September 2016 lawsuit filed against Yahoo! A class action lawsuit filed in California by Yahoo! users claimed the company exhibited gross negligence relating to their disclosure of a massive 500 million user account data breach by taking two years to detect the hack. The lawsuit argues that the industry average to detect cyberattacks is 191 days, with 58 days to contain a breach. Yahoo! cybersecurity personnel will likely find it difficult to claim they were acting as a reasonable person would in a similar situation.

2.7 Common Law Duty Management of organizations are expected to act in a manner where their responsibilities are carried out with due care. Due care is a legal standard that requires conduct commensurate with what a reasonable man or women would do in a situation. Common law is based on previous 54

situations or precedents. In other words, what would a person of similar background and training do to protect information based on what was customary? On November 21, 2018, the Pennsylvania Supreme Court drastically changed the data breach litigation landscape by holding that an employer has a common law duty to use reasonable care to safeguard employees’ personal information stored on an Internet-accessible computer (McAndrew, Yanella, & Ricci, 2018). In Dittman v. UPMC, a case arising from the 2014 data theft of 62,000 employees of the University of Pittsburgh Medical Center’s (UPMC) network. The Court further held that Pennsylvania’s economic loss doctrine permits recovery for “purely pecuniary damages” on a negligence claim premised on a breach of such a duty (McAndrew, Yanella, & Ricci, 2018). Pecuniary damages are simply losses that can be calculated in dollars. The court ruled that UPMC collected and stored that information on its Internet-accessible computer system without the use of adequate security measures, including proper encryption, firewalls, or authentication protocols.

2.8 Criminal Cyberlaw The criminal law relating to cyber offenses involves a system of legal rules designed to deter wrongful conduct relating to computers and information. Hackers or malicious insiders who violate these laws face incarceration, fines, victim restitution, forfeiture of assets, etc. Criminal law is adversarial by design, requiring two advocates to represent each side’s position before a judge or jury, who attempt to determine the truth of the case. This is an important point, since your firm may need to be prepared to “argue” its case in the event you are involved in a lawsuit. 2.8.1 Cybercrime Penalties Criminal penalties in the US are categorized into degrees of offense, and cybercrime is no different. Many states, as well as the federal government, base their sentencing guidelines on these levels. Less serious crimes are considered misdemeanors and more serious ones are classified as felonies. Financial penalties, incarceration, probation, and other forms of punishment vary by degree as well. Virtually all cybercrimes are primarily defined as either unauthorized access to a computer, computer tampering, or intentionally altering or destroying data. The degree or level of crime is determined by the amount of damage done, financial loss, and the intent. Table 2-3 is an illustration of the primary degrees of cybercrime.

55

Table 2-3. Cybercrime Degrees Degree

Class

Financial Damage Level

Maximum Prison Term

1st Degree Cybercrime

Class C Felony

$10,000

20 Years

2nd Degree Cybercrime

Class D Felony

$5,000

10 Years

3rd Degree Cybercrime

Class A Misdemeanor

$1,000

5 Years

4th Degree Cybercrime

Class B Misdemeanor

$500

1 Year

Criminal offense classifications vary by jurisdiction (state and federal). Degree classification can be specified by a letter or number and can include five or more degrees in some instances. You will need to review your respective jurisdictions for specific classifications. Knowing the degrees of crime in your own jurisdiction will help you in identifying the type and depth of forensic investigation necessary to assist law enforcement. TIP: Use criminal degrees to determine the level of effort and cost your organization should invest in a forensics investigation. For example, the cost of investigating a misdemeanor crime may not be justified.

2.9 Federal Computer Crime Statutes Computer crime laws encompass a variety of offenses where computer information is either destroyed, altered, stolen, or otherwise interfered with. Many crime legislation or acts are introduced each year; however, not many become law over the years. It is important for you to know that many of these laws have and will continue to be amended. The year a law was passed does not necessarily make it any less effective because of the amendments. 2.9.1 Federal Laws Addressing Computer Security The following present the most important federal laws passed specifically to address computer crimes and cybersecurity: •

•

1954 – Atomic Energy Act: This is the first federal law that specified the classification and safeguarding of information and made unauthorized access and use a crime. The 1946 version of the act did cover the control of information; however, it referred to the technology as “appliances” since computers were in limited use at the time. 1986 – H.R. 4718 – Computer Fraud and Abuse Act: Amends an existing computer fraud law (18 USC. § 1030) which had been previously included in the H.R. 5963 Comprehensive Crime Control Act of 1984. Since its inception, the Computer Fraud and Abuse Act has been amended six times: 1988, 1994, 1996, 2001, 2002, and 2008. 56

•

•

•

•

•

•

•

•

1986 – H.R. 4952 – Electronic Communications Privacy Act: Amends the federal criminal code to extend the prohibition against the unauthorized interception of communications to include specific types of electronic communications. 1987 – H.R. 145 – Computer Security Act: Designed to improve the security and privacy of sensitive information held in federal computer systems. Creates a means for establishing minimum acceptable security practices for such systems, without limiting the scope of security measures already planned or in use. 2000 – H.R.2816 – Computer Crime Enforcment Act: Establishes a grant program to assist State and local law enforcement in deterring, investigating, and prosecuting computer crimes. 2014 – S.1353 – Cybersecurity Enhancement Act: Facilitates and supports the development of a voluntary, consensus-based, industry-led set of standards and procedures to cost effectively reduce cyber risks to critical infrastructure. 2014 – S.2519 – National Cybersecurity Protection Act: Establishes a national cybersecurity and communications integration center in the Department of Homeland Security (DHS). 2014 – S.2521 – Federal Information Security Modernization Act: Implements standards and guidelines for safeguarding federal information and systems from a known or reasonably suspected information security threat, vulnerability, or risk. 2014 – H.R.2952 – Cybersecurity Workforce Assessment Act: Directs the Secretary of Homeland Security, within 180 days and annually thereafter for three years, to conduct an assessment of the cybersecurity workforce of the Department of Homeland Security (DHS). 2015 – S.1990 – Federal Computer Security Act: Directs the Inspector General of each executive agency that operates a federal computer system that provides access to classified information or personally identifiable information to submit a report to the Comptroller General and specified congressional committees that includes: 1. A description of the logical access standards used by the agency to access such system, including whether the agency is using multi-factor logical access controls for such access. 2. If the agency does not use such access controls, a description of the reasons for not doing so. 3. A description of the data security management practices used by the agency, including the policies and procedures for conducting inventories of software and associated licenses, an indication that the agency has entered into a licensing agreement for the use of software security controls to monitor and detect threats, or an explanation for why it has not entered such an agreement. 4. A description of agency policies and procedures for ensuring that entities that provide services to the agency are implementing data security management practices. 57

•

•

•

2018 – S.770 – NIST Small Business Cybersecurity Act: require the National Institute of Standards and Technology (NIST) to consider small businesses when it facilitates and supports the development of voluntary, consensus-based, industry-led guidelines and procedures to cost-effectively reduce cyber risks to critical infrastructure. 2018 – H.R. 3359 – Cybersecurity and Infrastructure Security Agency Act: This bill amends the Homeland Security Act of 2002 to redesignate the Department of Homeland Security's (DHS's) National Protection and Programs Directorate as the Cybersecurity and Infrastructure Security Agency. It transfers resources and responsibilities of the directorate to the agency. 2018 – H.R. 7327 – Strengthening and Enhancing Cyber-capabilities by Utilizing Risk Exposure Technology Act: Directs the Department of Homeland Security (DHS) to: (1) establish a policy applicable to individuals, organizations, and companies to report security vulnerabilities on DHS information systems; and (2) develop a process to address the mitigation or remediation of the vulnerabilities reported. DHS shall make such policy publicly available and submit a copy to Congress with the required remediation process. Also, DHS shall establish, within the Office of the Chief Information Officer, a bug bounty pilot program to minimize security vulnerabilities.

Laws relating to encryption, copyright, privacy, etc. are covered elsewhere within this book. Also, future laws proposed for the 116th Congress in the 2019 – 2020 session are covered in Chapter 5. To remain current on laws, go to www.congress.gov to search for existing or pending legislation related to cybercrime or cybersecurity. 2.9.2 The US Code A majority of the federal government’s passages within the various computer crime laws come directly or referenced from the US Code, which represents the general and permanent laws of the nation. In fact, the 1986 Computer Fraud and Abuse Act references Section 1030 of the code. One of the US Code’s 53 titles includes Title 18 that deals with crime and criminal procedure. Within Title 18 is Chapter 47 – Fraud and False Statements, in which Section 1030 covers fraud and related activity in connection with computers. The current edition is 2010. The US Code specifies that the FBI and Secret Service have authority to investigate offenses and apprehension of offenders violating the criminal codes outlined owing to the seriousness of the crimes. Table 2-4 outlines the primary crimes included in the US Code.

58

Table 2-4. Primary Crimes Contained in US Code and Their Associated Penalties

Offense

Section

First Offense Year(s)

Second Offense Year(s)

Obtaining National Security Information

(a)(1)

10

20

Accessing a Computer and Obtaining Information

(a)(2)

1 to5

10

Trespassing in a Government Computer

(a)(3)

1

10

Accessing a Computer to Defraud & Obtain Value

(a)(4)

5

10

Intentionally Damaging by Knowing Transmission

(a)(5)(A)

1 to 10

20

Recklessly Damaging by Intentional Access

(a)(5)(B)

1 to 5

20

Negligently Causing Damage & Loss by Intentional Access

(a)(5)(C)

1

10

Trafficking in Passwords

(a)(6)

1

10

Extortion Involving Computers

(a)(7)

5

10

Crimes can include misdemeanors and felonies depending on the seriousness of the offense. Crimes committed for commercial use, financial gain, or perpetrated in the furtherance of a criminal act tend to be classified as felonies.

2.10 Procedural Law Procedural law is simply the process that a case follows from beginning to end, regardless of whether it makes it to trial or not. Federal, state, and international courts each have their own set of rules (evidence, pleadings, practices, etc.) referred to as a code of criminal or civil procedure. You will need to be aware of the rules governing how a court hears and determines what occurs in civil lawsuits and criminal cases to ensure due process. A comprehensive penal code does not guarantee successful litigation if the procedural law is not followed. Of particular importance to you will be the rules of evidence. For example, evidence gathering may be restricted to physical evidence when, in fact, you will need to gather virtual evidence that resides in the cloud. Like career criminals in other areas of law, cybercriminals are well versed in methods of leveraging criminal procedure to structure their crimes and avoid prosecution. Procedural law includes:

59

• •

Rules of criminal procedure. Rules of civil procedure.

2.10.1 Rules of Criminal Procedure Prosecuting cybercrimes requires a specific set of rules to ensure that evidence is gathered correctly as well as properly presented in court. These rules protect both the rights of the accused as well as the plaintiff. Your understanding of the rules of evidence and criminal procedure is what will guide your approach to incident response and forensic investigation practices. One of the most important components of the Federal Rules of Criminal Procedure relates to search and seizure. Table 2-5 summarizes the three search and seizure rules that you should be most familiar with. Table 2-5. Rules of Search and Seizure Rule Rule 41(e)(B)

Title Warrant Seeking Electronically Stored Information

Purpose Authorizes the seizure of electronic storage media or the seizure or copying of electronically stored information. Provides later review of the media or information consistent with the warrant.

Rule 41(f)(1)(B)

Inventory

Requires that an inventory of all property seized is made in the presence of an officer or credible person as well as the defendant. Data seized can be summarized according to the device on which it resides.

Rule 41(g)

Motion to Return Property

Allows the defendant to motion for the return of seized property. If granted, the court may place conditions on property to ensure continued access.

You can access the entire text of the 2019 version of the Federal Rules of Criminal Procedure at https://www.law.cornell.edu/rules/frcrmp. As one example of our current dynamic legal landscape, in April 2016, the US Supreme Court approved the US Department of Justice’s requested amendment to Rule 41, which would permit judges to issue search warrants for computer investigations, searches, and surveillance outside of the judge’s home district. What this means to you is that, in the course of a criminal investigation, your organization or its employees may have their computers searched remotely by the FBI. What would you do if your intrusion detection system detected such an event? 2.10.2 Rules of Civil Procedure (Cyber Tort) What you may not know, however, is that the rules of criminal proceedings apply to your organization whether you are ever involved in a court case or not. In 2006, the Federal Rules of 60

Civil Procedure were significantly revised to require any business that could be included in a civil action in a federal court to retain electronic records in the form of email, instant messages, text documents, and other digital information (logs, etc.). The rules require digital records to be retrievable if economically feasible. Additionally, you are required to show how your organization retains electronic documents, what practices are used to retrieve them, and by what policy and methods files and digital records are deleted. In 2015, the rules were further amended to take into account the increasing size and sophistication of digital data (think big data). Table 2-6 summarizes the important rules pertaining to digital data that you should be most familiar with. Table 2-6. Rules Applying to Digital Data Rule

Title

Purpose

Rule 16(b)(3)(A)(iii)

Contents of Order

Provides for disclosure, discovery, or preservation of electronically stored information.

Rule 26(a)(1)(A)(ii)

Initial Disclosure

Allows the request of a copy or a description by category and location of all documents, electronically stored information, and tangible things that the disclosing party has in its possession, custody, or control and may use to support its claims or defenses, unless the use would be solely for impeachment.

Rule 26(b)(2)(B)

Specific Limitations on Electronically Stored Information

Allows a party to omit discovery of electronically stored information from sources that the party identifies as not reasonably accessible because of undue burden or cost.

Rule 26(f)(3)(C)

Discovery Plan

Provides a format to state issues that may arise regarding the disclosure, discovery, or preservation of electronically stored information, including the form or forms in which it should be produced.

Rule 34(b)(1)(C)

Procedure

Allows a specification of the forms or media that electronically stored information is to be produced.

Rule 37(e)

Failure to Preserve Electronically Stored Information

Allows remedies if electronically stored information that should have been preserved in the anticipation or conduct of litigation is lost because a party failed to take reasonable steps to preserve it, and it cannot be restored or replaced through additional discovery.

61

You can access the entire text of the 2018 version of the Federal Rules of Civil Procedure at http://www.uscourts.gov/rules-policies/current-rules-practice-procedure/federal-rules-civilprocedure. TIP: Understanding the rules of discovery that exist before and during a lawsuit will help you structure your information and records management processes to support the rules of civil and criminal procedure.

2.11 State Computer Crime Laws In 1978, Arizona and Florida – under increasing pressure by their attorney generals to have more relevant laws to prosecute computer criminals – enacted the first state-level computer crime statutes. By 1999, every state had passed some form of computer security law. While some states modeled their laws on the proposed Federal Computer Systems Protection Act of 1979, others created statutes from existing property theft laws, considering that theft of information or money in electronic form as essentially the same as a physical act. The period of 1978 to 1998 provided ample prosecuting experiences for states to decide that a state-specific guideline for drafting and amending computer security laws was required. States wanted a framework that was less dependent on the US federal government and existing theft statutes. In 1999, a council of states was enjoined to create the Model State Computer Crimes Code. The model organized computer protection statutes into eight categories: procedural issues; non-sexual crimes against persons; sexual crimes; crimes involving computer intrusions and damage; fraud and theft crimes; forgery crimes; gambling and other crimes against public morality; and crimes against the state government (Brenner, 2001). State laws tend to identify degrees of computer offenses to reflect the severity of the offense. For example, the crimes classified as aggravated carry higher penalties. Examples of aggravated cybercrime would include significant harm to victims and damage to hacked computers. Ransomware attacks would qualify as aggravated cybercrime due to the extensive damage inflicted on victims. Penalties can vary widely between states. For instance, in New Jersey a loss of more than $200 is a felony; however, in South Dakota damages must exceed $1,000; and in Connecticut, the threshold is $10,000. A unique aspect of many state computer crime laws is the requirement that offenders have a requisite mental state to be convicted of an offense. This means that before a hacker can be placed on trial, the court automatically orders a mental state evaluation report. Many state laws also include the ability of the victim to sue for civil relief, receiving compensation for their damages. Under many state laws, cybercriminals can also expect to forfeit all their computer equipment once convicted. State jurisdiction is evolving. Initially, states envisioned their laws applying primarily to in-state crimes where the perpetrator and victim both reside. However, advances in technology such as the cloud and virtual computing created a situation where states needed to define jurisdiction in 62

several ways. States face situations where criminals are located outside of their state, however, causing substantial harm and losses to their citizens. Take, for example, a case in which a cybercriminal in one state is hacking into persons or companies in another state. In this case, the hacker has no intent to cause harm in his own state; so, the state where his victims reside must request that the hacker’s home state assist in the prosecution. Depending on the state’s relationship and resources, they may or may not cooperate. Some states experiencing this situation have amended their computer crime statutes to specify that those who commit a crime by accessing a computer in another state, will be “deemed to have personally accessed the computer” in both states and can be prosecuted in either state (Brenner, 2001). This jurisdictional nuance has created unintended consequences where state-to-state and federal-to-state jurisdictional issues now exist. In cases where the cybercrime is particularly egregious or aggravated, all states affected may wish to pursue a case resulting in a situation of excess jurisdiction. TIP: To research which state computer crime laws your cybersecurity program must follow, visit the National Conference of State Legislations website, where a current list of computer crime statutes is maintained.

2.11.1 State Ransomware Laws States are always looking for ways to protect their citizens from cyberattacks. Aside from general cybercrime legislation, many states enact specific laws to address emerging cyber threats they feel are not covered under their current laws. The emergence of ransomware laws is just one example of this. The pervasive nature and widespread destruction exacted on companies made it only a matter of time that laws would be passed to thwart ransomware operators. California, Wyoming and to a lesser extent the US Federal government (discussed later) have all enacted laws to slow down the spread of ransomware attacks. On September 27, 2017, California amended Section 523 of their Penal Code with Senate Bill No. 1137. The law specifically names computer crime extortion a punishable offense. The California law defines ransomware as a computer contaminant or lock placed or introduced without authorization into a computer, computer system, or computer network that restricts access by an authorized person to the computer, computer system, computer network, or any data therein under circumstances in which the person responsible for the placement or introduction of the ransomware demands payment of money or other consideration to remove the computer contaminant, restore access to the computer, computer system, computer network, or data, or otherwise remediate the impact of the computer contaminant or lock. (SB-1137, 2016). Table 2-7 shows which states have enacted laws that target ransomware.

63

Table 2-7. State Ransomware Laws State

Law

Year

URL http://leginfo.legislature.ca.gov/faces/cod es_displaySection.xhtml?lawCode=PEN §ionNum=523.

California

SB-1137

2016

Connecticut

CGS § 53a-262 2017 H.B. 7304, Public Act 17-223

2017

https://www.cga.ct.gov/2017/ACT/pa/201 7PA-00223-R00HB-07304-PA.htm

Michigan

HB 5257 & HB 5258

2018

http://www.legislature.mi.gov/(S(qusxjxl5 1m1m3frueiupcs3d))/mileg.aspx?page= GetObject&objectname=2017-HB-5257

Texas

H.B. 9, Chap. 684

2017

https://capitol.texas.gov/tlodocs/85R/billt ext/html/HB00009F.htm

Wyoming

6-3-506 & 6-3-507

2014

https://codes.findlaw.com/wy/title-6crimes-and-offenses/wy-st-sect-6-3303.html

Some states such as New York are even attempting to enact laws that would make it a crime to use taxpayer money to pay ransom demands. 2.11.2 Federal Ransomware Laws The US federal government has been slow to act when it comes to passing legislation criminalizing ransomware attacks, their operators’ actions and the ultimate impact on organizations (victims). I believe this is mostly due to legislators believing current laws already conclude ransomware is a crime and is covered under existing statutes. However, a new law passed by the US House, H.R. 5074 – DHS Cyber Hunt and Incident Response Teams Act of 2019 was inspired by the reported increasing number of ransomware attacks. Although the Act never mentions the word ransomware once, it does authorize the Department of Homeland Security to maintain cyber hunt and incident response teams. The intended purpose is centered around leading a Federal asset protection response to assist Federal and non-Federal organizations alike in responding to cyberattacks. The presumption is that ransomware clearly falls within the Act’s mandate. The asset protection response outlined in the Act includes: A. Assistance to asset owners and operators in restoring services following a cyber incident; B. Identification and analysis of cybersecurity risk and unauthorized cyber activity; C. Mitigation strategies to prevent, deter, and protect against cybersecurity risks; D. Recommendations to asset owners and operators for improving overall network and control systems security to lower cybersecurity risks, and other recommendations, as appropriate; and 64

E. Such other capabilities as the Secretary determines appropriate (H.R. 5074). 2.11.3 State Cyber Reserve Laws Drawing from my high school history class, I remember learning the Army National Guard has been around since 1636 when three militias armed to defend against the Pequot Indians attacking the Massachusetts Bay Colony. Today, the National Guard is defending against a different type of threat – cyberattacks. With 3,880 cyber service members in 59 cyber units in 38 states and scheduled to grow, (Maucione, 2019) I expect the National Guard to be on the front lines of cyberwar. But for some states, the National Guard isn’t enough to protect against ransomware and other cyberattacks. For example, Ohio is moving to strengthen its cyber defenses by creating a new unit tasked with responding when local governments are digitally attacked. Ohio’s governor, Mike DeWine signed Senate Bill 52, which creates a cyber reserve force under the direction of the Ohio Adjutant General, which also oversees the Ohio National Guard. Like the National Guard, members of the cyber force could be activated in response to an emergency, but otherwise would work their normal jobs. But unlike the National Guard, cyber reserve forces will be civilians (2019, Tobias). Based on the success of Ohio’s pilot program, other states may follow their lead and create their own civilian cyber defense army. 2.11.4 State Denial of Service Laws In a denial-of-service (DoS) or distributed denial of service (DDoS) attack, attackers flood the bandwidth or resources of a targeted company’s network or servers with faux traffic, preventing legitimate users from gaining access. At the Federal level, the primary law that applies to DoS as well as DDoS attacks is the Computer Fraud and Abuse Act, or 18 U.S.C. §1030. The applicability of this law was tested in the case of United States v. Dennis in the District of Alaska in 2001. In this case, a former computer systems administrator in Alaska pled guilty to one misdemeanor count for launching three e-mail-based DoS attacks against a server at the U.S. District Court in New York. The administrator was charged under 18 U.S.C. §1030(a)(5) with “interfering with a government-owned communications system” (Mirkovic, J, Dietrich, S., Dittrich, D., Reiher, P., 2005). Many states believed the Computer Fraud and Abuse Act either doesn’t apply or does not go far enough to protect against DoS or DDoS attacks occurring within their state boundaries. To address the perceived lack of jurisdiction, states began to pass their own denial of service attack laws. Presently 25 states have enacted specific legislation designed to address these types of attacks. Upon review of these laws I found two common clauses: • Computer attacks resulting in what is commonly known as Denial of Service or Distributed Denial of Service. • Denial of access to legitimate users of a computer system, network, or program. Be sure to check the denial of service laws appliable to your organization’s geography by going to Laws Addressing Denial of Service Attacks located on NCSL’s Computer Crime Statutes page at http://www.ncsl.org/research/telecommunications-and-informationtechnology/computer-hacking-and-unauthorized-access-laws.aspx. 65

2.11.5 State Election Security Legislation The U.S. Senate Intelligence Committee’s report on Russian Active Measures Campaigns and Interference in the 2016 U.S. Election found Russia tried to attack every state’s election system during the 2016 campaign. The committee found cyber agents probed states for weaknesses, broke into Illinois’ voter registration database, and primed a social media bot network to cause chaos. Across the US and as well as foreign countries, election officials are launching initiatives to protect electronic voting. Election fraud and the belief that foreign governments have interfered with US elections have been the driver of many election security laws introduced by the 116th Congress (2019 – 2020). Of the dozens of bills introduced, these stand out as being the most comprehensive in their incorporation of cybersecurity as a safeguard: • • • • • • •

H.R. 1 – For the People Act of 2019 – Provides $1.5 billion in new voting technology funding, including strengthening resources to combat cybersecurity threats on elections. H.R. 3412 – Election Security Assistance Act – Enhance election technology and make election security improvements. H.R. 2660 – Election Security Act of 2019 – Election infrastructure designation. H.R. 52 – SAFETI Act – Report on actions taken by DHS relating to terrorist threats to the integrity of federal elections. H.R. 2722 – SAFE Act – Voting system security improvements. S. 1319 – PRIDE Voting Act – Implementing cybersecurity standards and best practices developed by the National Institute of Standards and Technology (NIST). H.R. 4990 – Election Technology Research Act of 2019 – Direct NIST and National Science Foundation (NSF) to research activities to promote the security of voting systems.

The sheer number of bills introduced announce to the public that Congress takes election fraud seriously and is willing to pass legislation, make grants and direct appropriate agencies to ensure free, fair and secure elections. With the 2020 US election looming, we can expect a few of these laws to pass.

66

2.11.6 State Anti-Phishing Laws Phishing has been the workhorse of hackers for years Did You Know? now, spinning out huge amounts of SPAM, fraudulent In 2018, in the case of Curry v. text messages or deceptive emails and websites to lure Schletter Inc. the judge ruled that computer users to unwittingly turn over their account businesses can no longer claim credentials. Many states have laws to prohibit stealing innocence in certain cases where someone else’s identity or personal information, but not phishing attacks compromised all have laws prohibiting the act of using phishing employee data privacy. The ruling attacks to gain confidential or personal information. For states that employers must take clearly sufficient measures to those states that do not have specific anti-phishing laws, safeguard their workforce from there are laws that prosecutors believe already cover vulnerabilities like phishing. prosecuting perpetrators of phishing attacks. Source:

According to the National Conference of State Legislatures (NCSL), a minority of states currently have specific phishing laws, 23 states and Guam to be exact. While phishing is covered under these state laws, no Federal anti-phishing law has ever been passed. Not without trying, however: in 2004, S. 2636 – Anti-phishing Act of 2004 was introduced. But it soon died on the vine never making it past the introduction stage. https://law.justia.com/cases/federal/ district-courts/northcarolina/ncwdce/1:2017cv00001/859 86/35/

How states address phishing attacks varies widely. While some classify the crime as a felony, others classify it as a misdemeanor. Jail or prison time resulting from a conviction is commensurate with the classification of the crime. Some of the state laws provide for victim restitution where, if convicted, compensation for financial losses must be made. Ensure you know if your state has an anti-phishing law by checking out the NCSL site at http://www.ncsl.org/research/telecommunications-and-information-technology/state-phishinglaws.aspx. 2.11.7 Identity Theft Laws You would be hard pressed to find anyone who has not heard of or even knows someone who has had their identity stolen. The airwaves are full of ads for identity theft prevention and restoration services and many homeowner’s insurance policies include identity theft protection. Identity theft has been with us for quite some time. In 1998 the Federal government passed the H.R. 4151 Identity Theft and Assumption Deterrence Act of 1998 acknowledging the growing problem, nearly 20 years ago. Realizing that wasn’t enough of a deterrent, the Federal government passed H.R. 1731 Identity Theft Penalty Enhancement Act of 2004, and classified some types of identity theft as an aggravated crime. Aggravated crimes refer to an offense that is more serious as a result of its specific elements. In this example, identity theft used to commit crimes such as immigration violations, theft of Social Security benefits, and domestic terrorism is a felony. The epidemic of identity theft has led to every state passing at least one law that pertains to identity theft or impersonation. Approximately 30 states as well as Guam, Puerto Rico and the 67

District of Columbia have enacted restitution provisions for identity theft requiring those convicted to reimburse their victims for their losses. Five states consisting of Iowa, Kansas, Kentucky, Michigan and Tennessee have passed forfeiture provisions for identity theft crimes. Several states including Arkansas, Delaware, Iowa, Maryland, Mississippi, Montana, Nevada, New Mexico, Ohio, Oklahoma and Virginia have passed identity theft passport programs to help victims from continuing identity theft. Each of these provisions are listed here: •

•

•

Restitution Programs – If you’re a victim of identity theft in a state that has a victim compensation statute, you may be able to recoup losses from the person or persons who stole your identity. Victims may also qualify for government-run compensation programs when there hasn’t been a conviction, or the defendant doesn’t have enough money to pay restitution. Identity Theft Passport Programs – Victims of identity theft who have filed a police report can request from states offering this type of program an Identity Theft Passport. The passport is generally an indicator on one’s driver’s license showing they have been a victim of identity theft. Passports are design to prevent innocent citizens from arrest for crimes committed by those who have stolen their identity. Forfeiture Programs – Encompassing the seizure and forfeiture of assets representing the proceeds used to facilitate federal crimes. Removing the proceeds of identity theft crimes and other assets relied upon by criminals restricts their ability to commit future identity theft crimes. TIP: To locate specific identity theft laws by state, go to http://www.ncsl.org/research/financial-services-andcommerce/identity-theft-state-statutes.aspx. Once at the site, type in the states you’re interested to reveal the state’s statutory information.

2.11.8 State Cyberbullying Laws In 2014, the Centers for Disease Control and Department of Education released the first federal uniform definition of bullying for research and surveillance. The core elements of the definition include unwanted aggressive behavior; observed or perceived power imbalance; and repetition of behaviors or high likelihood of repetition. There are many different modes and types of bullying. • • •

Criminal sanction. Almost every state has a law that expressly criminalize electronic forms of harassment. The only states that don’t are Maine, Minnesota, Nebraska, New Hampshire, New Mexico, and Wyoming. School sanction. In 45 states, bullying laws include provisions empowering schools to discipline students appropriately. The exceptions here are Alabama, Michigan, Montana, New Hampshire (again), and Nevada. School policy. In every state except Montana, the bullying law requires schools to have a formal policy to identify bullying and discuss the possible disciplinary responses.

68

Off-campus behavior. Federal law allows schools to discipline students for off-campus behavior that substantially disrupts the learning environment, and 16 states have statutes to that effect as well. As of the writing of this book, no federal law exists against cyberbullying. However, all fifty states do have some form of anti-cyberbully law (Cyberbullying Research Center, 2019). •

TIP: www.stopbullying.gov provides a wealth of information on anti-cyberbullying programs, state laws, and statistics.

2.12 False Claims Act (FCA) You have undoubtedly heard of the adage, “what was once old is now new again.” This is particularly true of the False Claims Act (FCA) – 31 U.S.C. §§ 3729 – 3733 originally passed over 150 years ago and again in 1863. In response to rampant claims of fraudulent goods being sold to the US Government, congress passed the FCA. It was the first whistleblower law that empowered citizens to act as whistleblowers and receive financial incentives to file claims against companies selling faulty goods. Today, the FCA is being used to combat corrupt companies attempting to defraud the US government by exaggerating cybersecurity claims of their products and services. An example of the FCA in action is a lawsuit brought against AeroJet in early 2019. In this case, Aerojet’s former director of cyber security compliance and controls filed a lawsuit under FCA for Aerojet’s misrepresentation of its compliance with cybersecurity requirements relating to the award of several DOD and NASA contracts. The whistleblower claims an outside consulting firm audited Aerojet’s compliance with the DOD and NASA cybersecurity requirements in early 2014 and found the company to be “less than 25 percent compliant” with the National Institute of Science and Technology and DFAR standards. He consequently refused to sign documents affirming compliance with those standards and Aerojet terminated his employment (2019, Detrani).

Summary The objective of this chapter has been twofold. First, it has been to enforce your understanding of your legal obligations and duties as an employee, manager, officer, or director who is directly involved with your organization’s cybersecurity program. Second, it has been to provide you with insight regarding where to begin to align your cybersecurity program with civil and criminal rules of procedure. By now, you no doubt realize that a partnership with your company’s legal department should be viewed as a necessity based on the number of laws that affect what you do and the complexities of these laws. You should start to see where your role (and that of cybersecurity) in the organization is much bigger than you may have previously realized.

69

References Aguilar, L. A. (2014, June 17). Boards of directors, corporate governance and cyber-risks: Sharpening the focus. Harvard Law School Forum on Corporate Governance and Financial Regulation. Retrieved from https://corpgov.law.harvard.edu/2014/06/17/boards-of-directors-corporate-governanceand-cyber-risks-sharpening-the-focus/ Anderson, R. (2015, May 28). The devil in the cyber insurance details. Advisen News. Retrieved from http://www.advisenltd.com/2015/05/28/the-devil-in-the-cyber-insurance-details/ Aubin, D. (2016, July 14). Scottrade wins dismissal of class action over data breach. Westlaw News. Retrieved from http://www.reuters.com/article/scottrade-cyber-idUSL1N1A023M Brenner, S. W. (2001). State cybercrime legislation in the United States of America: A survey. Richmond Journal of Law and Technology, 7(3). Retrieved from http://scholarship.richmond.edu/cgi/viewcontent.cgi?article=1128&context=jolt Cyber Promotions, Inc. v. Apex Global Information Services, Inc. (United States District Court, for Eastern District of Pennsylvania 1997). Davis, W. (2016, January 25). Judge dismisses “faceprint” suit against Facebook in Illinois. The Daily Online Examiner. Retrieved from http://www.mediapost.com/publications/article/267390/judge-dismisses-faceprint-suitagainst-facebook.html Detrani, J. (2019, November 1). Tightrope Walking The Digital Supply Chain. Above the Law. [Blog]. Retrieved from https://abovethelaw.com/2019/11/tightrope-walking-the-digital-supplychain-part-i/?rf=1 Goldman, E. (2012, October 10). How Zappos' user agreement failed in court and left Zappos legally naked. Forbes. Retrieved from http://www.forbes.com/sites/ericgoldman/2012/10/10/how-zappos-user-agreement-failedin-court-and-left-zappos-legally-naked/#2246b19b2f6b Hancock v. State, 402 S.W.2d 906 (Tex. Ct. Crim. App. 1966). Le, C. (1998). How have Internet service providers beat spammers? Richmond Journal of Law and Technology, 5(2). Retrieved from http://scholarship.richmond.edu/cgi/viewcontent.cgi?article=1054&context=jolt McAndrew, E., Yannella, P., & Ricci, K. (2018, November 27). Pennsylvania Supreme Court Recognizes Common Law Duty to Safeguard Employees’ Personal Data. [Blog] Retrieved from https://www.cyberadviserblog.com/2018/11/pennsylvania-supreme-court70

reverses-data-breach-class-action-and-recognizes-legal-duty-to-safeguard-employeeinformation/ Maucione, S. (2019, January 18). National Guard Cyber Units Protect Country’s Interests, Still Face Training Issues. Federal News Network. Retrieved from https://federalnewsnetwork.com/defense-main/2019/01/national-guard-cyber-unitsprotect-countrys-interests-still-face-training-issues/ Mirkovic, J, Dietrich, S., Dittrich, D., Reiher, P. (2005). Denial of Service: Attack and Defense Mechanisms. Upper Saddle River: Pearson Education, Inc. Office of the Director of National Intelligence. (2015, July 21). Duty to warn. (Intelligence Community Directive 191). Retrieved from https://www.dni.gov/files/documents/ICD/ICD_191.pdf Pincus, W. & Loeb, V. (2000, July 16). Judge orders mediation in government's case against Wen Ho Lee. The Washington Post. Retrieved from http://community.seattletimes.nwsource.com/archive/?date=20000716&slug=4031995 SB-1137. (September 27, 2017). Retrieved from http://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201520160SB1137. Siegel, M. (2016, January 28). Michaels crafts successful motion to dismiss in data breach case. Cyber Law Monitor. Retrieved from http://cyberlawmonitor.com/2016/01/28/michaelscrafts-successful-motion-to-dismiss-in-data-breach-case/ Sprouse, W. (2016, May 20). UBS wins $1.1m from Wells Fargo in data theft case. OnWallStreet. Retrieved from http://www.onwallstreet.com/news/ubs-wins-11m-fromwells-fargo-in-data-theft-case Swisher, K. & Wagner, K. (2016, September 22). Yahoo has confirmed a data breach with 500 million accounts stolen, as questions about disclosure to Verizon and users grow. Recode. Retrieved from http://www.recode.net/2016/9/22/13021300/yahoo-hack-data-breach-500million-accounts-stolen Tobias, A. (2019, October 25). Ohio Beefs Up Cyber Security With New Response Unit. Cleveland.com. [Online]. https://www.cleveland.com/open/2019/10/ohio-beefs-up-cybersecurity-with-new-response-unit.html Tuma, S. E. (2016, January 8). SuperValu data breach class action dismissed for lack of harm. [Web log post]. Retrieved from https://shawnetuma.com/2016/01/08/supervalu-databreach-class-action-dismissed-for-lack-of-harm/ Tung, J. R. (2016, June 1). 9th circuit revives bogus casting call Model Mayhem suit. [Web log post]. Retrieved from http://blogs.findlaw.com/ninth_circuit/2016/06/9th-circuit-revivesbogus-casting-call-model-mayhem-suit.html

71

Ungerleider, N. (2015, July 24). 1.4 million Chrysler cars recalled due to security flaw. Fast Company. Retrieved from https://www.fastcompany.com/3049037/fast-feed/14-millionchrysler-cars-recalled-because-of-cybersecurity-flaws US General Accounting Office. (1976, April 27). Computer-related crimes in federal programs. (Publication No. FGMSD-76-27). Retrieved from http://www.gao.gov/products/FGMSD76-27 US v. Robert Tappan Morris. 928 F.2d 504. US Court of Appeals, Second Circuit. 1991. Retrieved from https://scholar.google.com/scholar_case?case=551386241451639668 Vaas, L. (2013, March, 08). $5 million class action lawsuit over LinkedIn data breach dismissed. [Web log post]. Retrieved from https://nakedsecurity.sophos.com/2013/03/08/linkedinlawsuit-data-breach/

72

Self-Study Questions The following exercises will help you hone your understanding of US cybersecurity law. 1. The Atomic Energy Act of 1954 was the first law that made unauthorized access and use of restricted information a crime. Can you locate at least one other early computer crime statute enacted before 1980? 2. Work with your organization’s legal counsel to determine which approach to alternate dispute resolution is preferable. 3. Review the contracts and/or terms of service your organization contractually obligates customers to use if forced arbitration is specified. 4. Using your industry as a guide, research a similar organization that experienced a data breach-related lawsuit. Compare the case details to how your organization would respond to a class-action or shareholder lawsuit. 5. Create a foreseeable harm statement. Review your cybersecurity program within the context of how customer or employee information is protected and estimate the harm that could occur. 6. Create a duty of care statement. Compare your cybersecurity program to industry standards and determine if your organization’s cybersecurity program would hold up in a court of law as an example of duty of care to protect sensitive information. 7. Review your organization’s publicly stated position on cybersecurity safeguards; determine if they are appropriate or if they exaggerate your information protection and privacy capabilities. 8. Document the cybercrime experience of your organization’s in-house or outside legal counsel. If determined to be inadequate, arrange for outside counsel on retainer with an expertise in cybercrime law. 9. Determine your organization’s duty to warn timeframe. Using data breach notification requirements as a guide, outline the timeframe required to notify regulators, customers or legal entities. 10. Research and document your organization’s headquarters location state laws to identify the enacted legal definitions of degrees of computer offenses to include offense type and penalties.

73

Chapter 3 Cyber Privacy and Data Protection Law Remember the first time someone told a secret of yours even after they promised never to tell? That is exactly how it feels to hundreds of millions of people every year when they learn their secrets were betrayed by companies they trusted. Knowing that their private health or financial information is somewhere on the dark web going to the highest bidder causes them untold angst. People hold their privacy dear, and when it becomes violated, they will seek ways to punish those responsible for violating their trust. Despite the existence of many privacy laws prohibiting privacy violations, many companies still violate these laws. Understanding privacy law will enable you to keep customers’ secrets and continue to earn their trust. Privacy in the digital world becomes more complex when you add technology. Facial recognition, identification microchips, voice recognition assistants such as Amazon’s Alexa, Google Street View mapping cars equipped with cameras filming every inch of where we live, and big data engines harvesting our every move of digital existence has made protecting privacy rights a whole lot harder.

This chapter will help you to: • • • • •

Understand the types and scopes of data privacy laws. Know the types of legal actions that can occur as a result of a data breach. Gain insight into the actions necessary to avoid negligence claims in a class action lawsuit. Realize that data privacy case law set the precedents for determining data breach litigation outcomes. Prepare your cybersecurity program in advance to support data breach litigation.

75

3.1 Common Law of Privacy Quite often various amendments and laws are cited as the basis for privacy rights; however, most citations tend to be wrong. Did you know, for example, the US Constitution contains no expressed right to privacy? The Bill of Rights does, however, provide some protections of privacy in matters of beliefs, searches, home, etc., but stops short of specifying privacy as a fundamental right. If you remember back nearly 30 years during Judge Robert Bork’s Supreme Court confirmation hearing, he stated: “that no such general right of privacy exists.” In the absence of clear guidance from the Constitution, we need to look to the law to establish a basis for privacy. This background is essential to your understanding of how privacy rights are legislatively created within the US. I want to provide a little history in establishing what I believe is an excellent definition of privacy. In fact, courts will often refer to this definition of privacy even though it was drawn from a court case occurring 60 years ago. In this instance of Housh v. Peth, privacy was defined in a way I believe you will agree holds true today: An actionable invasion of the right of privacy is the unwarranted appropriation or exploitation of one’s personality, the publicizing of one’s private affairs with which the public has no legitimate concern, or the wrongful intrusion into one's private activities in such a manner as to outrage or causes mental suffering, shame or humiliation to a person of ordinary sensibilities. (Housh v. Peth, 1956) In the Housh v. Peth opinion, you will see the origins of virtually all of today’s data privacy laws past and present. The concepts of legitimate concern and wrongful intrusion form the foundation of local, state, and federal data privacy statutes. This privacy definition should clarify your mission of ensuring customer privacy. Sixty-six years before Housh v. Peth outlined privacy, the concern of privacy was raised when in 1890, Samuel Warren and Louis Brandeis wrote in a Hardvard Law Review article titled The Right to Privacy that privacy is the “right to be left alone” (Brandesis & Warren, 1890). Their article was written in response to an emerging technology of the time, photography. We should expect privacy to continue to evolve as technology evolves.

3.2 Privacy Laws One of a government’s principal responsibilities is to protect its citizens, safeguarding them from foreseeable harm. This responsibility to protect extends to cyberspace where lawmakers legislate protection through Internet privacy laws. State and federal governments strive to protect our digital persona or representation by using privacy preserving legislation. Our digital persona is all the private information that describes who we are. These laws extend to virtually every form of digital media and consumer-facing Internet technology. Understanding the legal aspect of 76

privacy law will allow you to make decisions on how you can modify your organization’s privacy practices. I encourage you to leverage the Housh v. Peth definition to incorporate and align your company’s privacy policies. In the US, no single privacy law exists, and it would not be unusual for you to need to be aware of over 60 pieces of state privacy legislation should you have customers throughout the nation. Add to that various federal and industry regulatory privacy statutes, and that number quickly grows. Enforcement of privacy laws varies. Regulatory agencies may not have the force of law behind them, but they nonetheless have civil financial penalty authority to enforce their privacy regulations. State and federal privacy laws have the force of law behind them, and a negligent or criminal invasion of privacy violation could result in incarceration. 3.2.1 Children's Privacy Laws We have all grown up knowing that children must be protected, for they lack the ability to protect themselves. We keep them from playing in the street and talking to strangers. Protecting them from the evils of the digital world is no different. According to the Pew Research Center, 88% of all teens (13 – 17 years old) have access to a desktop or laptop computer (Clement, 2018). This creates a potentially large victim pool for Internet-based crimes. We all need to commit to ensuring the privacy rights of children. If your organization interacts with minors digitally, there are specific laws with which you will need to be familiar. 3.2.1.1 Federal Children's Privacy Law Enacted in 1998 by the US Congress, a groundbreaking privacy law became effective on April 21, 2000. The Children’s Online Privacy Protection Act (COPPA) went into effect to restrict information collected on children under the age of 13. The act specifies that website providers must adhere to a privacy policy that requires verifiable consent from a parent or guardian for a child to access their site. The website provider must also document that appropriate safeguards are deployed to ensure the safety and privacy of the children using their site. The act restricts the type of digital marketing toward children. In 2013, the act was modernized to reflect the increased use of mobile devices and social networking of minors where cookies and geolocation information can be used to track children's location and online activity. If your organization markets to children or allows children access to any of your company’s digital media, you must comply with COPPA. A court can fine a website operator who violates COPPA penalties of up to $41,484 per violation. The following is my summary of the COPPA provisions you would need to follow: • • • • •

Conspicuously post a comprehensive privacy policy. Directly notify parents of collection and use data gathered. Obtain verifiable parental consent. Allow parents to review the personal information collected. Protect the confidentiality, security, and integrity of children's information. 77

• •

Retain personal information for only as long as is necessary. Refrain from gathering more information than is reasonably necessary. TIP: Turn these requirements into a self-assessment checklist to validate that your organization follows COPPA requirements to protect children's privacy.

The act has a safe harbor provision that allows industry groups, companies, or other entities to submit an application for a self-regulatory framework for complying with the act’s final rule. You can opt in to one of these safe harbor provisions to comply with COPPA. A safe harbor provision is a rule within a regulation that specifies that if you adhere to certain rules of conduct, you will be in compliance with an act. If you use one of these frameworks you will be deemed in compliance with COPPA and subsequently exempt from Federal Trade Commission (FTC) enforcement actions. You can still, however, be fined if your practices are found to have willfully violated your chosen self-regulatory safe harbor framework. As of June 2016, the FTC has approved eight safe harbor programs (Federal Trade Commission – COPPA Safe Harbor Program) including: • • • • • • • •

Aristotle Age Verification Solution. Better Business Bureau's Children's Advertising Review Unit (CARU). Entertainment Software Rating Board (ESRB) Kids Seal. Privacy Vaults Online Inc. (PRIVO). Safe Harbor, Identity, and Consent Service Provider. The Internet Keep Safe Coalition (iKeepSafe). Samet Privacy (kidSAFE). TRUSTe’s Children’s Privacy Program.

On August 30, 2018, PRIVO launched GDPRkids™ Privacy Assured Program a dedicated program of compliance with the General Data Protection Regulation (GDPR). The program will show your organization’s obligations as it relates to protecting children’s privacy under GDPR. The FTC has the authority to issue regulations to enforce COPPA. Curious as to how many companies have been fined over COPPA, I searched the FTC site for “COPPA violations” and was quite surprised over the extent of what I found. Table 3-1 presents some of the largest of the 20+ COPPA enforcement actions to date.

78

Table 3-1. COPPA Enforcement Actions Year

Company

Violation

Settlement

2019

Google and YouTube

Collected kids’ personal information without parental consent.

$170,000,000

2019

Musical.ly (TikTok)

Failing to obtain parental consent before the collection or use of such information, and failing to delete such personal information following requests from parents.

$5,700,000

2018

Oath, Inc. (AOL)

Tracking online behavioral advertising auctions placing adverts on hundreds of websites that it knew were targeted at children under 13 — such as Roblox.com and Sweetyhigh.com.

$4,700,000

2018

Vtech

Collected information from children without parents’ permission through connected toys violating children's privacy.

$650,000

2018

Explore Talent

Collected the same range of personal information from users who indicated they were under age 13 as from other users and made no attempts to provide COPPA-required notice or obtain parental consent before collecting such information.

$235,000

2016

InMobi

Tracked the locations of hundreds of millions of consumers, including children, without their consent, in many cases totally ignoring consumers’ express privacy preferences.

$950,000

2016

Yelp

Improperly collected children’s information.

$450,000

2014

Tint Co

Encouraged kids to turn over their email addresses, but the company didn't get parental permission.

$300,000

2011

Illegally collecting and disclosing personal information from Playdom, Inc. hundreds of thousands of children under age 13 without their (Disney) parents’ prior consent.

2008

Sony BMG Music

Improperly collected, maintained and disclosed personal information from thousands of children under the age of 13, without their parents’ consent.

$1,000,000

2006

Xanga.com

Collected, used, and disclosed personal information from children under the age of 13 without first notifying parents and obtaining their consent.

$1,000,000

2003

Mrs. Fields

Failed to obtain verifiable parental consent before collecting personal information from children under 13. In addition, failed to post applicable policies.

$100,000

79

$3,000,000

In September 2016, the New York State Attorney General’s (AG) Office closed a two-year investigation dubbed Operation Child Tracker. The AG secured $835,000 in COPPA violation settlements with Hasbro, Mattel ($250,000), Viacom ($500,000) and JumpStart ($85,000). Hasbro was not fined however, because they participated in the COPPA safe harbor program. The benefit Hasbro enjoyed of participating in a safe harbor act shows the importance of safe harbor acts. 3.2.1.2 State Children's Privacy Laws Some states do not believe that the federal government’s COPPA act goes far enough to protect the children of their state. Subsequently, they have enacted their (own) privacy statutes to protect children. If you operate in California or Delaware or have children as customers there, you will need to be aware of these 2015 laws. California passed the Privacy Rights for California Minors in the Digital World regulation and Delaware passed the Delaware Online Privacy and Protection Act, extending privacy to include removing unwanted information on minors and prohibiting the sale of products known to be harmful to children. More states will adopt these provisions in their existing child privacy laws going forward. Both states have added four more years to the age their statute applies by defining minors as under the age of 18, as well as prohibit the marketing of products known to be harmful to children (e.g., alcohol, guns, and R-rated materials). The California statute differs from the Delaware law in that it permits minors or parents to remove directly or request the removal of information or photos posted on a website, online service, application (mobile or online), etc. Website or service providers must comply with the removal request. This type of law has been coined in the press as data erasure law. 3.2.2 Healthcare Data Privacy Laws If you have spent any amount of time reviewing the various Health Insurance Portability and Accountability Act’s (HIPAA) proposed, interim, and final rules you may have been as confused as I was. Since 1996, there have been numerous amendments to HIPAA, which makes keeping all of them straight challenging at best. This confusion may be one of the reasons so many companies today still find themselves under investigation for HIPAA violations and paying substantial fines. 3.2.2.1 HIPAA Privacy Rule Much has been written on HIPAA which passed in 1996; however, you have probably heard less about the legal aspect of the Standards for Privacy of Individually Identifiable Health Information, known as the “Privacy Rule.” Originally, Congress did not enact privacy legislation in HIPAA, forcing the US Department of Health and Human Services (HHS) to develop a rule regarding privacy. The Privacy Rule was passed on December 28, 2000, with an effective date of April 14, 2001. What is important for you to know is this rule established a set of standards for ensuring the privacy of health information and specifying the manner in which you are allowed 80

to disclose protected health information (PHI). If you are a health care clearinghouse, health plan, or healthcare provider you are considered a covered entity and required to comply with this rule. The rule also specifies the rights your patients have in controlling the use of their PHI. The enforcement of the Privacy Rule comes under the auspice of the HHS Office for Civil Rights (OCR). Enforcement activities include voluntary compliance oversight and the issuing of financial penalties for noncompliance. The OCR has broad latitude in deciding how to handle violations and can assess penalties up to $50,000 per violation or $1.5 million annually. Published August 14, 2002, the final rule’s effective compliance date was October 15, 2002. By now, you are considered in violation of the act if you have not implemented the required privacy controls within your enterprise. Being equally curious regarding HIPAA violations and fines as I was of COPPA, I set out to the www.hhs.gov website to search for interesting cases. I found that financial penalties for noncompliance can be significant as Maryland-based Cignet Health learned on February 4, 2011, when they became the first company under the act fined for violating its provisions. Cignet’s $4.3 million penalty was a result of their violating 41 patients’ rights when they denied them requested access to their medical records between September 2008 and October 2009. Remember the act’s provision that patients have control over their medical records? This is an example of what happens if you don’t provide them with timely access to their records. Cignet is not the only example of companies paying substantial fines for violating the Privacy Act. Massachusetts General Hospital paid a $1 million penalty in 2011 for a 2009 incident where an employee left PHI of 192 patients on a subway train in Boston. And in case you are thinking these cases of old don’t represent what happens today, you would be wrong. Take the recent examples of Feinstein Institute for Medical Research that agreed to pay $3.9 million and undertake substantial remediation of their privacy safeguards on March 17, 2016. On July 16, 2016, the University of Mississippi Medical Center (UMMC) agreed to pay $2.75 million for violating the Privacy Act. The sad tale of all these companies paying fines is that the money could have, and should have, gone toward improving their privacy controls in the first place. At this point, you may be asking yourself how so many companies can violate a privacy standard that has been in existence for over 16 years. In fact, according to HHS, there have been 213,561 complaints filed under the Privacy Act through July 31, 2019. Of these claims, 27,109 have been investigated and resolved to require covered entities make changes to their privacy practices. The most interesting facts about HHS’ data is that 65 cases resulted in fines totaling nearly $102,681,582 and 760 complaints were severe enough to be referred to the Department of Justice (DOJ) for criminal investigation (US Department of Health and Human Services, 2019). In cases of willful violations, the OCR can refer to the DOJ to pursue criminal charges. The act states that accessing PHI without authorization and subsequently disclosing the information to a third party can result in a jail term of up to 10 years in addition to a maximum fine of $500,000 for disclosures made for personal gain. The first DOJ criminal referral led to a 16-month prison sentence for a former employee of a Seattle, WA cancer clinic who fraudulently obtained credit 81

cards using PHI and charged about $9,000 in a patient’s name (First Ever HIPAA, 2004). There have been approximately two dozen convictions to date involving incarceration. The OCR Privacy Rule allows state healthcare protection legislation to trump the OCR’s Privacy Rule if their (states) privacy protections are greater than OCR’s. One example of this is the Texas Health and Safety Code’s protection of health records that includes a broader definition of what is considered a covered entity including some private companies. Table 3-2 shows some of the largest HIPAA fines assessed by the OCR. Table 3-2. Largest HIPAA Fines Date

Covered Entity

Fine

Reason

2019

Cottage Health

$3,000,000

Risk analysis failure; Risk management failure; No BAA.

2019

Touchstone Medical Imaging

$3,000,000

Settle breach exposing over 300,000 patients' protected health information.

2018

Anthem

$16,000,000

Cybercriminals had breached its defenses and had gained access to its systems and members’ sensitive data. With assistance from cybersecurity firm Mandiant, Anthem determined this was an advanced persistent threat attack – a continuous and targeted cyberattack conducted with the sole purpose of silently stealing sensitive data.

2018

University of Texas MD Anderson Cancer Center

$4,348,000

Impermissible disclosure of ePHI; No Encryption.

2018

Fresenius Medical Care North America

$3,500,000

Risk analysis failures, impermissible disclosure of ePHI; Lack of policies covering electronic devices; Lack of encryption; Insufficient security policies; Insufficient physical safeguards.

2017

Children’s Medical Center of Dallas

$3,217,000

A breach of patients’ electronic protected health information (ePHI) had occurred. The breach involved the loss of a Blackberry device containing the ePHI of 3,800 patients. The device had not been encrypted and was not protected with a password, allowing any individual who found the device to access the ePHI of patients.

2016

Advocate Health Care Network

$5,500,000

Three data breaches affected the protected information of roughly 4 million people compromises demographic information, clinical information, health insurance information, patient names, addresses, credit card numbers and their expiration dates, and dates of birth.

82

Date

Covered Entity

Fine

Reason

2016

New YorkPresbyterian Hospital

$2,200,000

Television film crews for the show "NY Med" filmed two patients in the hospital without obtaining their authorization. OCR found the hospital also allowed film crews "virtually unfettered access to its healthcare facility, effectively creating an environment where PHI could not be protected from impermissible disclosure to the ABC film crew and staff.

2015

Tripple S Management

$3,500,000

Mailing of a pamphlet that showed the Medicare Health Insurance Claim Numbers of subscribers.

2014

New YorkPresbyterian Hospital and Columbia University

$4,800,000

Settle charges from a 2010 breach when a Columbiabased physician attempted to deactivate a personal computer connected to the New York-Presbyterian network that contained patient information.

2014

Concentra Health Services (Addison, Texas)

$1,700,000

An unencrypted laptop was stolen from one of its facilities in 2012.

2013

Oregon Health & Science University

$2,700,000

Two 2013 data breaches affecting more than 7,000 patients total. In the first breach, an unencrypted laptop containing patient information was stolen from a surgeon's vacation home. In the second breach, residents and physicians-in-training had stored patient information in a Google-based cloud system that was not approved for storing such data.

2013

Advocate Health System

$5,550,000

Three data breaches that occurred in 2013. In total, the three incidents compromised the protected health information of 4 million individuals.

2013

WellPoint (Indianapolis)

$1,700,000

Data breach exposed the protected health information of more than 612,000 individuals in a database. The investigation found inadequate policies or safeguards to protect such information.

2012

Alaska Department of Health and Social Services

$1,700,000

Stolen USB hard drive containing protected health information. The OCR's investigation found ADHSS did not have adequate policies and procedures in place to safeguard electronic protected health information.

2011

Cignet Health of Prince George's County

$4,300,000

Failing to cooperate with Office for Civil Rights (OCR) investigations and demonstrating “willful neglect” to comply with the Privacy Rule.

83

Date 2009

Covered Entity CVS Pharmacy

Fine

Reason

$2,700,000

Failed to take reasonable and appropriate security measures to protect sensitive information of customers and employees.

3.2.2.1.1 Law Enforcement HIPAA Disclosure The act does allow a covered entity to disclose limited PHI under certain circumstances to law enforcement in the course of official business. However, it is critical that a fully vetted legally reviewed policy and procedures document is implemented to prevent Privacy Rule violations. Law enforcement officials do not care about your violating HIPAA when pursuing a case, and your organization will be the one left with the consequences. Table 3-3 provides guidance for the development security policies covering interactions with law enforcement when patient information is requested or demanded. Table 3-3. Law Enforcement Interaction Security Policy Guidance Reporting Scenario

Disclosure Examples

Requested reporting

-

Specific patient name request Court order Victim information Patient in custody HIPAA compliant authorization

Mandatory reporting

-

DUI testing Elderly abuse patient Child abuse patient Patient injured by a weapon Deceased patient resulting from a crime

Permitted reporting

- Criminal conduct - Criminal or victim identification - Avert serious or imminent crimes

For more information regarding law enforcement interactions check out HHS’ Disclosures for Law Enforcement Purpose information at http://www.hhs.gov/hipaa/forprofessionals/faq/disclosures-for-law-enforcement-purposes. You should also create policies in conjunction with your organization’s legal counsel.

84

3.2.2.1.2 HITECH Act In 2010, the Health Information Technology for Economic and Clinical Health (HITECH) Act was included within the American Recovery and Reinvestment Act (ARRA). The act was primarily Did You Know? designed to promote the adoption of health information Coffey Health System agreed to pay technology during the economic crisis in the US. The act $250,000 to settle allegations that it included provisions for ensuring the privacy of falsely attested to conducting a security risk analysis as required electronically transmitted health information. On under the HITECH Act electronic January 17, 2013, the OCR issued the final rule that health records financial incentives requires expanded requirements for privacy. If you are a program. Two whistleblowers in the covered entity, you should have been in compliance case - the hospital's former CIO and with the HITECH Act beginning in September of 2013. corporate compliance officer - who filed a lawsuit under the federal False Here is what the HITECH Act requires you to comply Claims Act - will receive $50,000 of with: the settlement.

• Business Associates (BA). BAs are now on the hook for complying with certain provisions of HIPAA. BAs can include software providers, service providers, and other companies that provide products or services in Source: the health care industry. https://www.careersinfosecurity.com/h • Electronic Health Record (EHR) Access. ospital-to-pay-250000-after-allegedfalse-hitech-claims-a-12569 Companies using EHR must allow access in a timely fashion to patients requesting their records. • Enforcement. The act provides strict enforcements of its provisions consisting of fines up to $1.5 million per year. Willful neglect offenses will be given the highest priority with some cases referred to the DOJ for criminal prosecution. Enforcement is also extended to business associates. • Breach Notification. Covered entities must disclose data breaches of PHI that occurred on unencrypted information. Breaches exceeding 500 records must be reported to HHS, and you will end up on the OCR Breach Portal: Notice to the Secretary of HHS Breach of Unsecured Protected Health Information or more affectionately known in the industry as the wall of shame (US Department of Health and Human Services, n.d.). Affected patients must also be notified. How does your organization monitor for executive fraud?

TIP: Follow the HIPAA Privacy Rule to achieve compliance with the provisions of the HITECH Act.

3.2.2.1.3 HIPAA Breach Notification Rule The Interim Final Rule dated August 24, 2009 (Breach Notification Rule) added a new subpart D to part 164 of title 45 of the Code of Federal Regulations to implement the Breach Notification provisions established in the HITECH Act. The Breach Notification Rule states that 85

“compromises of security or privacy of the protected health information” means that a disclosure poses a significant risk of financial, reputational, or other harm to the affected individual. An objective risk assessment approach is required to determine the risk that the PHI has been compromised. Table 3-4 is a risk assessment questionnaire I created for a healthcare organization. It may help you in performing a risk assessment to determine the extent of compromised PHI. Table 3-4. PHI Risk Assessment Questionnaire Risk Question

No.

Responses

1

Was PHI included in the data breach?

Yes or No

2

How many records were breached?

500+

3

How many PHI identifiers were disclosed?

0 to 18

4

Can the identifiers disclosed lead to discovering the patient?

Yes or No

5

Did an unauthorized person access the PHI?

Yes or No

6

Was the PHI viewed or acquired?

Viewed or Acquired

7

Was the PHI encrypted?

Yes or No

This approach is more comprehensive than the four-factor approach suggested by HIPAA. If you want a full scope risk assessment program, the National Institute of Standards and Technology (NIST) offers a comprehensive HIPAA Security Rule Toolkit. Go to https://scap.nist.gov/hipaa/ to download a free copy of the Toolkit. 3.2.2.2 Veterans Benefits, Health Care, and Information Technology Act In 2006 S.3421, the Veterans Benefits, Health Care, and Information Technology Act, requires the Department of Veterans Affairs (VA) to implement agency-wide security and privacy procedures to protect sensitive personal information (SPI) of employees and patients. This act was passed following the 2006 data breach of over 26 million veterans when a VA employee’s computer was stolen from home. The act requires that in the event of a data breach of SPI processed or maintained by the VA, the VA’s Inspector General must conduct an independent risk analysis of the data breach to determine the level of risk associated with the data breach for the potential misuse of SPI. Based upon the risk analysis, if the Secretary of Veterans Affairs determines that a reasonable risk exists of the potential misuse of SPI, the Secretary must provide: • • •

Credit protection services. Identity theft insurance. Notification to affected patients and employees. 86

• • •

A report detailing the findings of the independent risk analysis for each data breach. A report of compromised sensitive personnel records issued to the US Department of Defense (DOD) Armed Services Committee. Liquidated damages paid by contractors who caused the data breach.

What is quite different about this act is the requirement for liquidated damages if your company was found to be the cause of the data breach. In this context, a contractor is considered in breach of contract for not protecting SPI and must pay a predetermined sum to compensate the VA for the damage caused. This would include the cost of credit monitoring services, notifications costs, etc. More information about the provisions of this bill can be found at https://www.congress.gov/bill/109th-congress/senate-bill/3421. 3.2.3 Federal Privacy Laws Today a framework of robust federal laws covers the protection of personal information. Some of these statutes are very specialized in their scope, while some have broad reaching protections for personal information. The first federal law was published in 1970; since then, by my count, 22 other data privacy laws have passed. In Table 3-5, the federal statutes, acts, and regulations directly or indirectly apply to ensuring the privacy of information or prohibiting invasions of privacy. Table 3-5. Federal Statutes Related to Privacy Year

Bill

Title

Description

1970

H.R.15073

Fair Credit Reporting Act (FCRA)

Protection of personal information related to credit reporting.

1974

513 of P.L. 93-380

Family Educational Rights and Privacy Act (FERPA)

Restricts the disclosure of educational records.

1974

S.3418

Privacy Act

Code of privacy practices for federally held information.

1978

H.R.4727

Privacy Protection for Rape Victims Act

Protection of rape victim identities.

Right to Financial Privacy

Privacy of customer financial records from government scrutiny.

1978

1984

H.R.14279

S.66

https://www.congress.gov/bill/95thcongress/house-bill/14279

Cable Communications Policy Act (CCPA)

87

Personally identifiable information (PII) must be destroyed once no longer necessary.

Year

Bill

1986

H.R.4952

Electronic Communications Privacy Act (ECPA)

Privacy of electronic data transmission by computer.

18 US Code Chapter 121

Stored Wire and Electronic Communications and Transactional Records Access – Stored Communications Act (SCA)

Protects stored electronic communications that are configured to be private.

1988

S.496

Computer Matching and Privacy Protection Act

Privacy principles for government information sharing.

1988

S.2361

Video Privacy Protection Act (VPPA)

Prohibits disclosure of PII by video service providers.

1991

S.1462

Telephone Consumer Protection Act (TCPA)

Protection of subscriber privacy rights.

1994

H.R.3355

Driver’s Privacy Protection Act (DPPA)

Limits the disclosures of PII in records maintained by state departments of motor vehicles.

1994

H.R.2243

Federal Trade Commission Act (FTCA)

Privacy protections for children and consumer information.

1996

H.R.3103

Health Insurance Portability and Accountability Act (HIPAA)

Privacy of personal health information (PHI).

1998

16 CFR Part 312

Children's Online Privacy Protection Act (COPPA)

Protection of minors’ privacy.

1999

S.900

Gramm-Leach-Bliley-Act (GLBA)

Protection of non-public personal information (NPI).

2003

H.R.2622

Fair and Accurate Credit Transactions Act (FACTA)

Protection of credit card information to prevent identity theft.

2003

S.877

CAN-SPAM Act (Controlling the Assault of Non-Solicited Pornography and Marketing Act)

Prevents invasion of individual privacy through the issuance of spam.

2006

H.R.4709

Telephone Records and Privacy Protection Act (TRPPA)

Prohibits pretexting to obtain personal phone records.

1986

Title

88

Description

Year

Bill

Title

Description

2009

H.R.1

American Recovery and Reinvestment Act – Health Information Technology for Economic and Clinical Health Act (HITECH Act)

2010

S.2092

Fair Debt Collection Practices Act

Prevents invasion of individual privacy.

2013

45 CFR Parts 160 and 164

HIPAA Breach Notification Rule

Notification and penalties for violations of PII.

2013

H.R. 6671

Video Privacy Protection Act Amendments Act of 2012

Allows PII to be disclosed with informed, written consent of the consumer.

2015

H.R.1428

Judicial Redress Act

Allows European citizens to sue for unlawful PII disclosures.

2015

H.R.22

FAST Act - Driver Privacy Act

Limitations on data retrieval from vehicle event data recorders.

Data breach notification of PHI.

It is important to note that many of these laws could have amendments since their first passage. For each applicable statute, ensure that you are referencing the most current version by accessing the link provided or searching for the law or act at https://www.congress.gov/. TIP: Create a spreadsheet of the laws mentioned in this chapter that apply to your organization and include hyperlinks to their sources. Identify the privacy requirements of each law and map those to your organization’s privacy policies, practices, and controls.

3.2.4 Cybercrime on Tribal Lands Did You Know? History has shown that casinos have been attractive targets for hackers as evidenced by cyberattacks at The Hard Rock Hotel and Casino, River Cree Resort and Casino and the Sands Corporation.

When you consider that 56 million acres or a little over 92,000 square miles of land are held in trust by the U.S. government for various Native American tribes (U.S. Department of the Interior, 2019) it is not inconceivable to think that cybercrime could occur somewhere in an area approximately the size of the state of Idaho. There are nearly 575 federally recognized American Indian Tribes in the U.S. and the FBI is responsible for investigating cybercrimes that occur on the nearly 200 89

Indian reservations that violate federal law. No small feat when you consider the over 450 gambling operations run by 240 tribes represent a significant technology footprint. For cybercrimes that don’t break Federal law, jurisdiction becomes somewhat ambiguous. In 1978, the Supreme Court case Oliphant v. Suquamish stripped tribes of the right to arrest and prosecute non-Indians who commit crimes on Indian land. If both victim and perpetrator are nonIndian, a county or state officer must make the arrest. If the perpetrator is non-Indian and the victim an enrolled member, only a federally certified agent has that right. If the opposite is true, a tribal officer can make the arrest, but the case still goes to federal court. Even if both parties are tribal members, a U.S. attorney often assumes the case, since tribal courts lack the authority to sentence defendants to more than three years in prison. The harshest enforcement tool a tribal officer can legally wield over a non-Indian is a traffic ticket. The result has been a jurisdictional tangle that often makes prosecuting crimes committed in Indian Country prohibitively difficult (Crane-Murdoch, 2013). 3.2.4.1 Sovereign Immunity of Data Breach Laws There has yet to be a data breach at a tribal casino or tribal business to test the concept of sovereign immunity against a third party claim or class-action lawsuit. But this depends on what state the casino is located. Some states have negotiated gaming compacts stating that sovereign immunity could be waived for tort claims. An example of this is found in Harold McNeal et ux. v. Navajo Nation et al., case number 18-894, in the Supreme Court of the United States. In this case U.S. District Judge Martha Vazquez ruled that the Navajo Nation had waived sovereign immunity to the McNeals' state court lawsuit when its council ratified the tribe’s 2003 gaming compact with New Mexico. Judge Vazquez rejected the tribe’s contention that its council lacked the authority to send tort suits to state court, and the tribe subsequently appealed to the U.S. Tenth Circuit Court. This precedent could prove instrumental in a data breach class-action lawsuit. 3.2.4.2 National Indian Gaming Commission The Indian Gaming Regulatory Act was enacted by the United States Congress on October 17, 1988, to regulate the conduct of gaming on Indian Lands. IGRA establishes the National Indian Gaming Commission and the regulatory structure for Indian gaming in the United States. Public Law 100-497-Oct. 17, 1988 100th Congress Sec. 2701. Casino owners should at a minimum leverage the National Indian Gaming Commission no-cost IT vulnerability assessment testing for tribes and tribal regulators, which provides a tribal gaming facility with a complete vulnerability analysis of their IT system. Showing due diligence and what a reasonable person would do begins with demonstrating that minimum security requirements are followed through use of the IT vulnerability assessment tool.

90

3.2.5 State Privacy Laws Every state in the US has at least one privacy law that seeks to protect their citizens from invasions of privacy and theft of PII. California is one such example of a state having many laws. Presently, California has six individual privacy laws covering constitutional rights, health information, online privacy, and other privacy protections. It is not unusual for large organizations to comply with 50 to 60 different state privacy laws, making this extremely confusing. Big companies have chief privacy officers (CPO) to address the multitude of privacy laws. To make this situation even more complicated is that depending on the situation, a state or federal privacy statute can preempt one another. You will need to understand the hierarchy of these laws to ensure you are focusing your efforts correctly. To help you understand the areas state privacy laws focus on, Table 3-6 provides the most common identification attributes you should be protecting. Table 3-6. Common Records Covered State Privacy Laws Record Category

Record Type

Personal identification

-

Name Address Driver’s license Employment Passport Phone number Photo (minors) Email Medical School records Social Security numbers

Financial identification

-

Bank Credit card Insurance Loan Tax Utility bills

Government identification

-

Arrest records (non-public) Military ID Court documents (non-public) Polygraph results Wiretaps

3.2.6 State Chief Information Privacy Officer (CIPO) Laws Several states have passed laws that require the establishment of an Office of Privacy and Data Protection and/or hire a Chief Privacy Officer. These states recognize that passing data privacy 91

laws alone without having a privacy Czar at the helm is a band aid approach to protecting the privacy right of their state citizens. Table 3-7 shows some of the states that have passed specific CPIO laws. Table 3-7. State CIPO Laws State Arkansas

Statute HOUSE BILL 1793

Main Provisions

• Create position of CPO • Oversee, develop, and implement state privacy program

Ohio

Ohio Rev. Code § 125.18(B)(6)

• Employ CPO • Annual privacy impacts statements

Massachusetts

Mass. Gen. Laws Ch. 7D, § 4B (2018 H.B. 3731)

• Appoint CIPO • Privacy Ombudsperson

Washington

RCWs > Title 43 > Chapter 43.105 > Section 43.105.369

• Create office of privacy and data protection • Appoint CPO

There are other states, counties and even cities that have hired CPOs. For example, the cities of New York and Seattle as well as the counties of Maricopa, Maui, and San Diego have all hired CPOs in the past several years. 3.2.7 International Privacy Laws More than 90 countries have passed data privacy laws. From Angola to Zimbabwe, these laws vary in scope and complexity. Penalties range from fines to incarceration and in some cases such as China, Nigeria, Saudi Arabia and Pakistan, even death. The growth in data protection and privacy laws as well as their rapid rate of enhancements can quickly become a compliance nightmare for a cybersecurity or privacy manager. The Asia Pacific region is experiencing the greatest number of new laws, and European countries tend to have the most mature and comprehensive laws. If your organization is a multi-national concern, then you may already be breaking data privacy laws and don’t even know it. Unless you have created a detailed compliance program that maps each country of operation to the privacy provisions of each law considering data collection, storage, processing, transmission, etc., you cannot know if you are compliant or not. You must also consider transborder data privacy provisions considering the legal implications of data in the cloud. For most of us, we don’t have the resources to keep track of all these international data privacy laws. I can highly recommend that you review DLA Piper’s Data Protection Laws of the World handbook (DLA Piper).

92

3.2.7.1 China’s No Place to Hide Law On December 1, 2019, China’s Cybersecurity Multi-Level Protection Scheme (MLPS 2.0) became law. Dubbed by many as the “Nowhere to Hide” law, MLPS requires encryption backdoors for any encryption algorithms used in China. MLPS is in fact a comprehensive data gathering and surveillance system. Ministry of Public Security and other internet security agencies of the PRC government and the CCP will have the encryption backdoors to do as they see appropriate for their respective security programs. Any organization conducting business in China should already know that the government monitors and captures Internet traffic. MLPS just puts a name on what many have already suspected. MLPS sets out the technical and organizational controls all companies in China must follow to comply with MLPS-related Internet security obligations mandated by China’s Cybersecurity Law. All companies and individuals must abide by the following three standards: • GB/T 22239 – 2019 Information Security Technology – Baseline for Multi-level Protection Scheme • GB/T 25070 – 2019 Information Security Technology – Technical Requirements of Security Design for Multi-level Protection Scheme. • GB/T 28448 – 2019 Information Security Technology – Evaluation Requirements for Multi-level Protection Scheme. No English version of these standards are presently available, so you must be careful of the source of any translations that are sure to emerge. One of the most significant aspects of this law is that no technology that blocks access by the Ministry of Public Security is permitted. No VPN, no encryption, no private servers. You also must recognize that the China Ministry of Public Security is required to install back doors or other message/data interception devices or systems to achieve full access. You will need to assume that China Telecom and Chinese based ISPs are required to comply (Sussman, 2019). Sussman, Bruce. (2019, October 15). Chilling Assessment of China's New Cybersecurity Law: 'There Is No Place to Hide.’ SecureWorld. Retrieved from https://www.secureworldexpo.com/industry-news/what-does-new-china-cybersecurity-law-do

3.3 Data Breach Laws The term data breach seems to garner more fear than data privacy and subsequently the lion’s share of press. I believe this is due more to the impression that a violation of privacy is more about revealing embarrassing information and a breach of data is associated more with financial impacts. According to a recent Verizon data breach report, there were over 41,686 security incidents across 180 countries and territories, of which 2,013 were confirmed cases where confidential information was exposed making this by all measure a serious issue that you must address (Verizon, 2019). When you begin viewing the various data privacy and data breach laws, you will realize a fine line exists between the two types of laws. The important point is that data 93

breach laws predominately deal with the issue of disclosure. Data breach laws follow a similar framework consisting of compliance, triggers, safe harbor, notification, remedies, and penalties. 3.3.1 State Data Breach Laws All 50 states, District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted data breach laws. Only the Northern Marianas Islands and American Samoa have not enacted data breach legislation (National Conference of State Legislatures, 2019b). The common denominator of these statutes is their specification of PII. If an entity were to intentionally or accidentally disclose PII, the offending entity would be required to make a public notification as well as pay a financial penalty. In reviewing data breach laws, I noticed six common characteristics:

Did You Know? In the past ten years California, New York, Texas, Florida, Georgia and Oregon accounted for top states with the most reported data breaches. Since 2008, 9,696 data breaches occurred across the U.S. involving more than 10.7 billion records. Source: https://www.fastcompany.com/903665 74/which-states-had-most-databreaches-california-and-new-york

1. Type of Personal Information. Personally identifiable information consists of Social Security numbers, driver’s license numbers, account numbers, credit or debit card numbers, phone numbers, addresses, health information, and other depending on the state. 2. Harm Standard. Notification is not required if, after an investigation, the breached company determines that no reasonable likelihood of harm occurred to customers. 3. Data Format. Laws can cover electronic, paper, or both types of records, as well as consider whether the data was encrypted or unencrypted. 4. Notification Requirement. Upon the confirmation of a breach, the company has an obligation to report to one of more organizations consisting of consumer reporting agencies (e.g., Experian, Equifax, or TransUnion), a state’s Office of the Attorney General, and the FTC. 5. Notice Period. Ten business days to 30 to 45 or up to 60 calendar days. 6. Form of Notification. Notification methods vary by state consisting of mailed written notice, electronic (email), telephone, or fax. The first thing you will need to understand about data breach notifications is the safe harbor provision, meaning that if your data is encrypted, then no notification would be required. That is unless it is in Tennessee. In July 2016, Tennessee became the first state to require breach notification even if the data is encrypted (Embry, 2016).

94

3.3.2 Federal Data Breach Laws The federal government had not specifically addressed data breach or breach notification in a singular law until the introduction of H.R.1770 – the Data Security and Breach Notification Act of 2015. This bill is designed to protect consumers by requiring reasonable security policies and procedures to protect data containing personal information, and to provide notice in the event of a breach of security. This bill would result in a law that would differ from other data breach notifications in that a national public notification would be required. The bill was introduced and approved by the committee for further consideration in April of 2015. From that point forward it has been stalled because of discussion over limitations in scope and the preempting of states with existing laws. Many state legislators see this as a duplicate law to their state notification laws. Other industry groups, agencies, and states have voiced concerns over the fact the proposed act applies only to breaches that can be directly linked to identity theft or financial fraud. The FTC would be the enforcement agency for this bill if it becomes law. In 2017 it was placed on the Union Calendar, which is a separate calendar used by the House of Representatives for bills requiring money. I am still not sure if this bill will ultimately make it, but it still lives. Another bill, H.R.1704 – the Personal Data Notification and Protection Act, was introduced in March of 2015 to address certain businesses that use, access, transmit, store, dispose of, or collect sensitive, personally identifiable information. An interesting aspect of this bill is that it categorizes reporting requirements by data breach size, with levels of 5,000, 10,000, and 500,000 in any 12-month period. The Department of Homeland Security (DHS) would be the agency to report data breaches. A form of safe harbor is also included in this bill. The FTC would be the enforcement agency for this bill should it become law. I am not convinced either of these bills will become law, at least as they are currently drafted. You should watch these laws as the momentum on Capitol Hill is poised to make progress in passing a national data breach law by the 116th congressional session, 2019-2020, in light of the media attention data breaches have garnered. In case you are asking yourself, “What about the HIPAA and Gramm-Leach-Bliley (GLBA) Acts? Don’t they have data breach provisions?” Yes, they do; however, they are specific to health care and financial industries respectively. I discussed HIPAA breach notification previously, which leaves GLBA. GLBA breaches of consumer financial data are guided by the Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice issued by bank regulatory agencies pursuant to GLBA. The guidance requires that a financial institution notify affected customers “as soon as possible” if the institution determines that misuse of “sensitive customer information” has occurred or is reasonably possible (Federal Deposit Insurance Corporation, 2005).

95

3.3.2.1 Gramm-Leach-Bliley Act (GLBA) Financial Modernization Act of 1999 or GLBA regulates the collection, use, disclosure as well as protection of personal information by financial institutions. This Federal law, effective May 23, 2003 requires financial institutions to explain how they share and protect their customers’ private information. Remember every year you get a rash of privacy notification in the mail? Well you have GLBA to thank for that. GLBA defines financial institutions as banks, credit unions, insurance companies, securities firms; also debt collectors, real estate appraisers, check cashing businesses and mortgage brokers. Some retailers and automobile dealers that extend or arrange credit or issue credit cards are also on the list.

Did You Know? On February 27, 2018, the FTC announced a settlement for Venmo’s violations of the GLBA privacy and safeguards rules. Specifically, the FTC alleged that Venmo misled consumers regarding privacy and the extent to which consumers’ financial accounts were secured. Venmo is required to obtain biennial third-party assessments of its compliance with these rules for 10 years. Does your organization comply with the provisions of GLBA? Source: https://www.huntonprivacyblog.com/2 018/03/02/ftc-announces-settlementfor-venmos-alleged-violations-of-theglbas-privacy-and-safeguards-rules/

One of the provisions of GLBA is to provide customers with a notice of privacy practices. GLBA covers nonpublic information that is defined as any personally identifiable information that you would provide to obtain a financial product or service. The most important aspect of GLBA are the privacy and safeguard rules require: •

314.3 Standards for Safeguarding Customer Information (a) Information security program. You shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to your size and complexity, the nature and scope of your activities, and the sensitivity of any customer information at issue. Such safeguards shall include the elements set forth in 314.4 and shall be reasonably designed to achieve the objectives of this part, as set forth in paragraph (b) of this section. (b) Objectives. The objectives of section 501(b) of the Act, and of this part, are to: (1) Ensure the security and confidentiality of customer information; (2) Protect against any anticipated threats or hazards to the security or integrity of such information; and (3) Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer.

96

•

314.4 Elements In order to develop, implement, and maintain your information security program, you shall: (a) Designate an employee or employees to coordinate your information security program. (b) Identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks. At a minimum, such a risk assessment should include consideration of risks in each relevant area of your operations, including: (1) Employee training and management; (2) Information systems, including network and software design, as well as information processing, storage, transmission and disposal; and (3) Detecting, preventing and responding to attacks, intrusions, or other systems failures. (c) Design and implement information safeguards to control the risks you identify through risk assessment, and regularly test or otherwise monitor the effectiveness of the safeguards' key controls, systems, and procedures. (d) Oversee service providers, by: (1) Taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the customer information at issue; and (2) Requiring your service providers by contract to implement and maintain such safeguards. (e) Evaluate and adjust your information security program in light of the results of the testing and monitoring required by paragraph (c) of this section; any material changes to your operations or business arrangements; or any other circumstances that you know or have reason to know may have a material impact on your information security program.

Violating GLBA brings sizable penalties for non-compliance including imprisonment for up to five years and fines up to $100,000 for each violation; officers and directors can also be fined up to $10,000 for each violation. 3.3.2.2 Red Flags Rule In 2003, Congress amended the Fair Credit Reporting Act (“FCRA”) to require the Federal Trade Commission (“FTC”) and certain other federal agencies (together, the “Agencies”) to jointly adopt identity theft red flags rules and guidelines. At that time, FCRA did not require or 97

authorize the Securities and Exchange Commission (“SEC”) or Commodity Futures Trading Commission (“CFTC”) to adopt these rules. Instead, the FTC had authority to adopt and enforce these rules with respect to SEC- and CFTC‑regulated entities. The Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 amended FCRA to transfer identity theft rulemaking responsibility and enforcement authority to the SEC and CFTC with respect to the SEC- and CFTC-regulated entities. The FTC developed a series of markers, or “red flags,” to help organizations detect fraud attempts before criminals can make any actual progress. These markers became ensconced within SEC Regulation S-ID (17 CFR 248, Subpart C) or the FTC Identity Theft Red Flag Rule. The penalty for non-compliance with the Red Flags Rule is $3,500 maximum in civil fines per violation and up to $2,500 per infraction due to the FTC. The SEC’s identity theft red flags rules require certain SEC-regulated entities to adopt a written identity theft program that includes policies and procedures designed to: •

Identify relevant types of identity theft red flags;

•

Detect the occurrence of those red flags;

•

Respond appropriately to the detected red flags; and

•

Periodically update the identity theft program.

The SEC’s identity theft red flags rules apply to SEC-regulated entities that qualify as financial institutions or creditors under FCRA and require those financial institutions and creditors that maintain covered accounts to adopt identity theft programs. SEC-regulated entities that are likely to qualify as financial institutions or creditors and maintain covered accounts include most registered brokers, dealers, and investment companies, and some registered investment advisers. 3.3.2.3 Federal Government Security Memorandum If you work for the federal government, you will need to be aware of the 2007 memorandum for the heads of executive departments and agencies titled, Safeguarding Against the Breach of Personally Identifiable Information. The memorandum states, “Safeguarding personally identifiable information in the possession of the government and preventing its breach are essential to ensure the government retains the trust of the American public” (Johnson, 2007). Agencies are required to: • • • • •

Develop and implement a breach notification policy. Use encryption to protect PII. Develop incident response plans. Limit access to authorized personnel. Create external breach notification protocols.

98

3.3.3 International Data Breach Laws The United Nations (UN) tracks 160 countries with respect to their efforts in protecting information. Figure 3-1 provides a breakdown of the legislation status relating to data protection for the 160 countries tracked by the UN.

Unknown Status

12%

21%

No Legislation

Draft Legislation

10%

58%

With Legislation

With Legislation

Draft Legislation

No Legislation

Unknown Status

Figure 3-1. International Data Breach Law Status

The DLA Piper’s Data Protection Laws of the World handbook provides a view of data breach laws of over 110 countries (DLA Piper, 2019). You can access the book and select the breach notification tab to investigate these laws for the countries applicable to your organization. I know most of you won’t have the time to download and read this handbook, so I have taken the liberty to outline the privacy laws of the G7 in Table 3-8. The G7, short for the Group of Seven is an international economic organization consisting of the seven largest International Monetary Fund (IMF) advanced economies in the world: Canada, France, Germany, Italy, Japan, the United Kingdom, and the United States.

99

Table 3-8. G7 Privacy Laws Country

Privacy Act

Bill

Date

Canada

Personal Information Protection and Electronic Documents Act (PIPEDA)

36th Parliament, Bill C-6

April 13, 2000

France

Data Protection Act

Ordinance 2018-1125

December 12, 2018

Germany

Federal Data Protection Act (FDPA)

Bundesdatenschutzgesetz (BDSG)

July 5, 2017

Italy

Italian Privacy Code

Legislative Decree No. 196/2003

August 10, 2018

Japan

Act on Protection of Personal Information (APPI)

Act No. 57

September 7, 2018

United Kingdom

Data Protection Act 2018

2018 c. 12

May 23, 2018

United States

No Single Data Protection Act

Not Applicable

Not Applicable

It won’t take you long to notice that the US is the only one of the G7 that does not have a unified national data protection act. The US has a patchwork quilt of privacy laws as identified in Table 3-5. You will no doubt also notice that many of the national data protection acts of the G7 occurred on or around the date of the adoption of the GDPR. The move of these G7 countries to harmonize their existing national data protection laws with the GDPR was critical to eliminate confusion in compliance and enforcement. 3.3.3.1 New and Emerging International Privacy Laws This book does not allow covering all the international laws nor does it make sense to duplicate the work already completed in DLA’s excellent handbook. But I do want to highlight recent changes in international privacy law that could impact those reading this book with international business models. Some of these laws even have ramifications for organizations who have customers in the following countries but no physical presence. •

•

Australia – The Privacy Amendment (Notifiable Data Breaches) to Australia’s Privacy Act came into effect in February 2018. Organizations with an annual turnover of over 3 million AUD will have to disclose data breaches that pose a “real threat of serious harm” within 30 days of their discovery or faces fines of up to 1.8 million AUD. Brazil – In 2020, the Brazilian General Data Protection Law (LGPD), Federal Law no. 13,709/2018 will take effect. This law is very similar to the GDPR especially in its expanded definition of territory. Companies with customers in Brazil will need to comply 100

•

•

with their law in the event of a data breach even though they have no physical operations located within their country. Bahrain – This country is the first Middle East country to enact a comprehensive data protection law. Law No. 30 of 2018 - Personal Data Protection Law became effective August 2019 and includes fines of up to BD 20,000 (US $53,200) or imprisonment for up to one year. China – China has a confusing landscape of data privacy with more than 200 laws, rules, and national standards in varying degrees of standing from proposed to enact as law. In an effort to simplify all these privacy rules, in March 2018, China’s National Information Security Standardization Technical Committee (TC260) issued a national standard, the Personal Information Security Specification, which covers the collection, storage, use, sharing, transfer, and disclosure of personal information. TC260 is China’s version of our National Institute of Standard and Technology. China is stepping up their efforts to reduce or eliminate the misuse of private data. In May of 2019, China further codified its protection of information by releasing a new data protection law. This new data protection law requires labeling of data feeds user receive that are driven by their personal data. Internet service provided are also required to delete collected data if users choose to turn off recommendations and ads. China’s data privacy laws only apply to Chinese territories. Taiwan maintains it on Personal Data Protection Law (PDPL) law that was last revised in 2015.

•

•

•

India – Specific rights of consumers and requirements for technical safeguards regarding the processing of personal data, including cross-border data transfers are expected to be in India’s comprehensive Personal Data Protection Bill introduced in 2018. Ratification is expected sometime in 2019. Peru – The Protection of Personal Data outlined in Peru’s Personal Data Protection N° 29733 (PDPL) law was amended in 2018 and includes a unique stipulation in that it prohibits marketing texts and emails to anyone without prior informed consent. Thailand – Thailand’s Personal Data Protection Act (PDPA) went into effect in May of 2019. The PDPA is like the GDPR in several ways, including the broad definition of personal data, the requirement to establish a legal basis for collection and use of personal data, extraterritorial applicability, and potentially harsh penalties for non-compliance.

We just need to go down the alphabet to identify other countries such as Indonesia, New Zealand, Kenya and Zimbabwe to identify those planning on introducing new data privacy and protection acts. 2019 – 2020 looks to be a watershed year for new or enhanced international data privacy laws.

101

3.3.4 General Data Protection Regulation (GDPR) The European Union (EU) General Data Protection Regulation (GDPR) was approved by the EU parliament on April 14, 2016 and became effective May 2018. The GDPR replaces the EU Data Protection Directive and is designed to: • • • • •

Standardize disparate data privacy laws throughout Europe. Protect EU citizen privacy. Harmonize EU data protection and privacy safeguards. Encourage compliance through meaningful fines and sanctions. Put EU citizens back in charge of their personal data.

GDPR applies to organizations located within the EU as well as organizations located outside of the EU if they offer goods or services to, or monitor the behavior of, the EU data subjects. GDPR applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location. Figure 3-1 provides a model of how GDPR is designed.

Figure 3-1. EU GDPR Model.

102

The GDPR differs from the EU Data Protection Directive in the following ways: •

•

•

• •

•

Directive vs. Regulation – GDPR carries more clout and removes the discretionary language that comes with a directive. The GDPR applies to all member states of the EU and removes data protection inconsistencies of member states. Jurisdiction Expansion – The coverage of GDPR is expanded past European boundaries and extends compliance to any organization that houses or processes EU citizen information regardless of location. Citizen Consent and Rights – Organizations can no longer use ambiguous terminology or confusing legalese to define or secure consent. Organizations must clearly define the terms of consent and how data will be used in plain language. Citizens also have the right to access (right to access) and receive (data portability) their own data as well as have it erased (right to be forgotten) on demand. Privacy Safeguards – Privacy is now a legal requirement where privacy protection must be designed in systems and processes to meet the requirements of GDPR. Enforcement – The GDPR is similarly enforced through courts, with penal and administrative sanctions in addition to civil remedies. What has changed is the amount of the fines a court can levy for a violation. Fines can go as high as EUR 20 million or four percent of an organization’s turnover or annual sales. Breach Notifications – Under GDPR it is no longer necessary to submit breach notifications to each local privacy authority. A Data Protection Officer (DPO), which is a mandatory appointment would make the notification to a single and relevant authority.

2019 is the year when GDPR enforcement ramped up. I believe that for every data breach experienced here in the US, a parallel GDPR enforcement in cases EU citizens are impacted will be launched. Table 3-9 provides a summary of the some of the initial fines levied under GDPR. Table 3-9. Largest GDPR Fines Date

Covered Entity

Country

Fine (US)

Reason Lack of transparency, inadequate information and lack of valid consent regarding ads personalisation.

2019

Google

France

$55,000,000

2019

Active Insurance

France

$198,702

Online check revealed that the accounts of the company's customers were accessible via hypertext links referenced on a search engine.

2019

Unicredit Bank

Romania

$143,507

Failure to apply appropriate technical and organizational measures, both in the determination of the processing means and the processing operations themselves, to

103

Date

Covered Entity

Country

Fine (US)

Reason effectively implement data protection principles.

2019

Sergic

2019

Haga Hospital

2019

MisterTango UAB – Payment Processor

2019

Bisnode

2018

Centro Hospitalar Barreiro Montijo

France

$441,559

Users could access documents from other individuals on the site by modifying a URL.

The Netherlands

$507,793

Lax controls over logging and access to patient records. In one instance, 197 employees accessed one Dutch celebrity’s medical records.

Lithuania

$67,889.80

Accidentally exposed a website with a list of consumer payments and payment details, including personal information.

Poland

$242,858

Scraped 7.6 million contacts from public registries, such as the Polish Central Electronic Register and Information on Economic Activity.

Portugal

$441,559

Hospital had 985 registered doctor profiles while only having 296 doctors. Moreover, doctors had unrestricted access to all patient files, regardless of the doctor’s specialty.

The companies fined above are just the beginning with U.K. Data Protection Authority the Information Commissioner’s Office announcing in July of 2019 intends to fine British Airways and Marriott International for violating the GDPR $228 million and $124 million respectively in July 2019 (Davies, 2019). TIP: Create a GDPR impact statement based on four percent of your organization’s annual turnover as well as covert EUR $20 million to determine total fine exposure.

GDPR compliance still requires work world-wide. A report by Thompson Reuters released approximately one year to the day that GDPR took affect states that: • • • • • •

More companies are failing to meet global data privacy regulations. Many companies have found GDPR compliance more difficult than expected. Half of companies are at risk of falling further behind. An increasing number of companies have now been subject to enforcement actions. Companies are becoming less open and pro-active with consumers. Board and C-suite concern and engagement on data privacy issues is falling. 104

•

GDPR is now consuming a greater proportion of data privacy budgets (Thomson Reuters, 2019).

3.4 Data Breach Litigation The frequency and scope of privacy data breaches are increasing substantially. Yahoo!’s September 2016 announcement of the theft of one-half billion customer records when hackers breached their systems in 2014 set a high bar for data breaches. Yahoo! became aware of the cyberattack only when Yahoo! customer information went up for sale on the dark web, two years after the attack. Three months later, in December 2016, Yahoo! revealed that another earlier hack in 2013 affected more than one billion accounts. The important point about the Yahoo! hack and other examples is that injuries to the plaintiff don’t necessarily need to be immediate. Many data breach lawsuits suffer dismissal from lack of standing. However, some cases are avoiding dismissal by proving future injury. Courts have decidedly taken two approaches to data breach lawsuits, specifically class action lawsuits. On the one hand, courts have ruled in some cases that plaintiffs who cannot show actual injury or cannot prove they made a purchasing decision based on the defendant’s privacy policy have no standing to claim injury. On the other hand, some courts have ruled that injury does not have to be immediate. The Yahoo! data breach case may change some court’s position regarding the issue of future harm. 3.4.1 Injury vs. No-Injury Class Action Lawsuits From July to October 2013, hackers stole 350,000 instances of credit card data from Neiman Marcus Group, LLC (Neiman). The data compromise came to light when some of Neiman’s customers noticed fraudulent charges on their credit cards in December of that year. Ultimately, 9,200 credit cards would be fraudulently used. In January, Neiman made a public disclosure of the cyberattack. Shortly afterward, several class action lawsuits were filed. These were all consolidated into a single action filed by Hilary Remijas who filed a lawsuit on her behalf and all others similarly situated (class action). The complaint or lawsuit seeking $5 million accused Neiman of negligence, breach of implied contract, unjust enrichment, invasion of privacy, and violation of multiple state data breach laws. Citing the rules of civil procedure, Neiman moved to dismiss the lawsuit for lack of standing. The judge held that even though credit cards were fraudulently used, the fact that customers were reimbursed proved no financial loss or harm had occurred. A district court dismissed the case based on the fact the plaintiffs lacked standing or a demonstrable harm. The case was appealed, argued, and decided between January and July 2015. It is the result of this appeal that makes data breach law interesting. In a first of its kind legal precedent, the US Court of Appeals for the Seventh Circuit in Chicago, IL found that the Neiman plaintiffs in a data breach case satisfactorily identified harm, even though no harm had occurred. The judge ruled that the plaintiffs proved some particularized, concrete, and redressable injuries as a result of a data breach and that Neiman caused the injury. Subsequently, this court reversed the original court’s decision allowing the case to go forward. 105

The plaintiff claimed injury based on lost time and money resolving the fraudulent charges and efforts protecting themselves from future identity theft. They also claimed financial loss of buying items at the store that they would not have, had they known of the cyber breach and lost control over the value of the personal information. Three things are required to prove standing: injury-in-fact, causation, and redressability. The injury-in-fact requirement was satisfied by the claims that resolving fraudulent charges and protecting oneself against future identity theft were injurious. For causation, the court relied on the Target Corporation data breach case as a precedent and wrote that when Neiman argued that other data breaches could have caused the plaintiffs’ card compromises, the burden of proof shifted to the defendant to prove they did not cause it. The fact that Neiman admitted the cyber breach and notified all their customers they were at risk and had customer credit cards fraudulently used was enough to prove causation. To meet the requirement of redress (compensation), the plaintiffs claimed that injury would come from future expenses for mitigation cost and damages. The court agreed (Remijas v. Neiman Marcus Group, LLC, 2015). TIP: Ensure that you carefully write the breach notification letter as well as any public disclosure statements in a manner that does not admit liability or determine harm that could be used against your company in a court of law.

The US Court of Appeals for the Seventh Circuit’s ruling goes against a 2013 US Supreme Court decision that states that an injury must be “concrete, particularized, and actual or imminent; fairly traceable to the challenged action, and redressable by a favorable ruling” (Clapper v. Amnesty Int’l USA). The Neiman case may have a significant impact on future privacy violation lawsuits where defendants have been able to have class action lawsuits readily dismissed for lack of standing. In fact, it had already been cited in 2016 in Lewert v. P.F. Chang’s China Bistro, Inc. Here the Seventh District Court overruled a lower court's decision on standing citing its previous Remijas v. Neiman Marcus Group, LLC ruling. Further complicating the outlook of how courts will rule in data breach cases is a second US Supreme Court decision in May 2016 in the case of Spokeo v. Robins. Here the US Supreme Court vacated (overruled) the US Ninth Circuit Court’s ruling approving the class action lawsuit stating that concrete harm could not be abstract but needed to be tangible and that injury-in-fact was not proved. Here the court ruled that a plaintiff cannot allege only a statutory violation but must also show actual injury as a result of the offense to sue in federal court. If you find that your company is named in a data privacy breach litigation, your ability to guide your business using the three requirements of standing will significantly aid your legal defense. Guiding the legal defense requires that you work with your legal department primarily in the area of causation to attempt to prove other factors could have been involved in your customer’s alleged injury. Would you be able to show that your data collection, processing, and security practices would hold up to scrutiny in a court of law?

106

3.4.2 Data Privacy and the US Supreme Court In July 2014, the US Supreme Court made its strongest case for digital privacy when it ruled (Riley v. California) the search of a cell phone for incriminating information in a murder case was unconstitutional. In this case, the court unanimously agreed that electronic devices carry many forms of sensitive and private information that trigger privacy protections. The court’s ruling treats these types of data-holding devices like an extension of a person’s home allowing Fourth Amendment protection. I expect that as more cases make their way to the US Supreme Court, further elaboration of digital privacy rights will be enumerated. Three landmark US Supreme Court opinions, described below, may shape how your company would defend itself in a privacy lawsuit. 3.4.2.1 City of Ontario, California, et al. v. Quon On June 17, 2010, the US Supreme Court ruled that employers have the right to access and search employee messages under reasonable circumstances. In this case, a City of Ontario, CA SWAT team member (officer Quan) used his city-provided pager to send and receive sexually explicit messages to his wife and mistress. Officer Quan believed that he had an expectation of privacy because his supervisor stated he could use his pager for personal messaging if he reimbursed the city. The sexting on his city-issued communication device became apparent in 2002 when an audit of officer texting overages was analyzed to determine if the increase was due to personal texting that would subsequently cost the city more money for a different texting plan. The city requested and was provided with transcripts of officer Quan’s text messages from the service provider Arch Wireless. The matter was turned over to internal affairs where only working time personal messages were reviewed. It was found the majority were during working hours and subsequently officer Quan was disciplined. Quan and several other city employees brought suit claiming their Fourth Amendment rights, as well as the Stored Communications Act (SCA), was violated. The court ruled that the city had a legitimate right to audit officer Quan’s texting records, and thus his Fourth Amendment rights were not violated. The amendment guarantees a person’s privacy and security from invasive and arbitrary government actions. In this case, the city’s actions were neither invasive nor arbitrary. Also, before acquiring the pagers, the city published a computer usage, Internet, and email policy that allowed the city to monitor and log all email and Internet use. The policy, however, did not cover wireless network text messaging. This would have been a critical mistake if it had not been for the fact the city verbally and in written form stated that text messages would be considered as email under the policy. The SCA violation naming Arch Wireless as a defendant was viewed as not relevant and was dropped. What is important to note from the US Supreme Court opinion is the statement, “…employer policies concerning communications will, of course, shape the reasonable expectations of their employees, especially to the extent that such policies are clearly communicated.” For you as a manager, you will need to ensure that cybersecurity policies support the rule of law, are clearly 107

communicated, often reminded, only modified in writing, and revised to include new technologies. This opinion shows that you will need to ensure that searches of employee data are done for legitimate business purposes and that employees are aware of their obligations under your company’s cybersecurity policy. 3.4.2.2 Campbell-Ewald Co. v. Gomez On January 20, 2016, the US Supreme Court held that an unaccepted offer settlement under Rule 68 of the Federal Rules of Civil Procedure (settlement offer) without more, cannot moot (nullify) a named plaintiff’s claim. The term without more in this context means just an offer of a financial settlement. In this case, Gomez received unsolicited text messages and filed a putative nationwide class action lawsuit against the Campbell Ewald Company seeking treble (triple) damages alleging willful violations of the Telephone Consumer Protection Act (TCPA). Before the deadline to file for class action certification expired, Campbell made a settlement offer providing Gomez full relief on his TCPA claim. Gomez allowed the offer to expire after 14 days under the Rule 68. Campbell then moved to dismiss the case. That motion was dismissed; however, the lower court granted a summary judgment motion for Campbell on a separate sovereign immunity issue. Sovereign immunity is where the government cannot be sued, and in this case, Campbell was working under a government contract and therefore enjoyed the protection of sovereign immunity. Campbell’s sovereign immunity motion would ultimately be overturned by a higher court. The case was argued before the US Supreme Court, which wrote the opinion that when a settlement offer is not accepted, “the parties remain adverse; both retained the same stake in the litigation they had at the outset.” The court also ruled that “a federal contractor is not entitled to immunity from suit for its violation of the Telephone Consumer Protection Act when it violated both federal law and the government’s explicit instructions.” (Campbell-Ewald Co. v. Gomez, 2015). The result of this opinion is that companies will find it difficult to “buy off” the primary plaintiff to avoid a class action lawsuit or hide behind sovereign immunity while working on government contracts. 3.4.2.3 Tyson Foods, Inc. v. Bouaphakeo On March 22, 2016, the US Supreme Court ruled that class action plaintiffs may use sampling to establish injury among the plaintiffs. Although not a data privacy case, the court's decision could have wide-reaching effect in data privacy class action lawsuits. In this case, the plaintiffs used an expert study to show the average amount of time required to don and doff protective equipment to claim overtime pay. The court ruled that this data could be used to establish the injury of loss of income to all plaintiffs because it was also admissible to show the employer’s liability. The result is that the door is now open for data breach class action plaintiffs to introduce expert studies and statistical models to show how all plaintiffs would be harmed by a data breach. 108

Tip: If your company is named in a class action data breach lawsuit, you need the knowledge and skills to perform your risk assessment and statistical modeling to calculate the harm or injury to your customers.

3.4.3 Shareholder Derivative Lawsuits

Did You Know? On January 4, 2019 the Yahoo! data breach-related derivative suit was settled for $29 million. The derivative complaint asserted claims against Yahoo’s board for breach of fiduciary duty, insider trading, unjust enrichment, and waste.

Nothing strikes fear in a CEO or a board of directors How would your company deal with faster than the phrase “shareholder derivative lawsuit.” A a lawsuit brought by a shareholder derivative lawsuit is a lawsuit brought by a shareholder of on behalf of your company? a corporation on its behalf to enforce or defend a legal Source: right or claim that the corporation has failed to do. When https://www.dandodiary.com/2019/01/ a shareholder feels that management has not done enough articles/cyber-liability/yahoo-datato rectify a situation, the shareholder can sue the company breach-related-derivative-suit-settledto force itself to sue itself. The directors, management, 29-million/ and in some cases other shareholders of the corporation can be named for failing a duty of care. This type of lawsuit is brought when it is deemed the officers and board of directors have ignored an issue, which in the context of our topic is a serious breach of security. A growing number of derivative lawsuits targeting officers and directors have been filed alleging claims of breach of fiduciary duty by not ensuring their company’s cybersecurity program was adequate or challenging their conduct following a breach. Some of the more publicly visible derivative lawsuits involved Target Corporation, TJX Companies, and Wyndham Worldwide Corporation (Wyndham). One of your roles following a data breach should be ensuring the board acts responsibly by providing them with accurate, timely information about what happened. This may be difficult as they may see you as the contributing factor to the breach. You will also need to watch for the passage of the H.R.5069, the Cybersecurity Systems and Risks Reporting Act, as boards of directors may be hiring their own cybersecurity expert to advise them during times of cyberattacks and resulting lawsuits leaving you out in the cyber cold. The actions of a board leading up to and after a cyberattack will be evaluated to determine their duty of care and whether they acted in the best interests of their company and shareholders. Take, for example, the 2014 lawsuit of Palkon v. Holmes, the first case of a decision in a derivative lawsuit resulting from a data breach. Wyndham suffered three data breaches over a three-year period beginning in 2008 resulting in 600,000 compromised customer records. In this case, Dennis Palkon, a shareholder of Wyndham, sent two demand letters to the board requesting they investigate the breach and sue the employees involved. A demand letter is a letter stating a legal claim which makes a demand for restitution or performance of some obligation. The board considered both letters and responded that it would not be in the company’s best interest to do so. Now that Palkon has met the threshold of bringing a derivative lawsuit (issue of demand letters), 109

he filed suit in the US District Court of New Jersey to force the directors to sue their company. The suit named board member Stephen Holmes and nine other Wyndham directors for breach of fiduciary duty, unjust enrichment, and a waste of corporate assets. Unjust enrichment is a claim where defendants believe that directors and officers received bonuses, or the value of their stock increased, through the act of expense reductions by not investing in cybersecurity safeguards. The case was dismissed without merit; however, valuable lessons can be gleaned from how the board acted during the breaches. These actions proved to the court that they (board) had acted in a fiduciary manner. Their efforts included discussing the cyberattacks and the company’s security capabilities during 14 quarterly meetings during the period of the breaches. The board appointed an audit committee to investigate the breaches. The committee met 16 times and regularly reported back to the board. And finally, the company hired a computer forensics company and technology company to implement cybersecurity program enhancements. The board was also actively involved in the previously filed FTC lawsuit against Wyndham for failures in their cybersecurity program. The actions the board took were anything, but gross negligence claimed by Palkon. This case underscores the critical importance of a board involving themselves in a company’s cybersecurity program. The board did have a bit of luck in their case – the derivative lawsuit was filed after the board had acquired three years of a security breach and cyberattack experience. Most such suits are filed immediately not giving a board much time to prepare. TIP: As someone involved directly with your company’s cybersecurity program, you may be personally sued in a derivative lawsuit, meaning the company could be forced to sue you for the failure of duty or negligence in a data breach. Ultimately, a personal lawsuit could end up costing tens of thousands of dollars in attorney’s fees. You should discuss with your management how your breach-related legal expenses would be handled in such a scenario.

3.4.4 Securities Fraud Lawsuits Before the notion of filing derivative lawsuits, parties would file a securities-fraud lawsuit citing various portions of the Securities Exchange Act of 1934 relating to fiduciary responsibility. This was the preferred method of shareholders to challenge directors and officers following a data breach because it had been successfully used over the years to connect lack of management oversite to a breach of security. Two of the largest cases to date include Heartland Payment Systems, Inc. and ChoicePoint, Inc. (now known as LexisNexis Risk Solutions). In both cases, the plaintiff alleged the defendants falsely reported their security controls capability in their 10K statements. Although both cases were dismissed, they show that securities fraud can be used to sue an organization resulting in significant costs and preoccupation of key employees to defend against the litigation. 110

If you were not already just a little bit concerned about being part of a data breach lawsuit, then by now you should be on the brink of being cautiously paranoid. Understanding the numerous and varied data privacy laws that apply to your organization’s cybersecurity program should give you an appreciation for the magnitude of work that remains for your cybersecurity program to reach and stay compliant with the dynamic and rapidly changing cybersecurity privacy legislative landscape.

3.5 Privacy Notice Law Have you ever wondered about all those privacy notifications that seem to all arrive about the same time every year? You can thank GLBA for that, since it is the principal law requiring many companies that have consumers to provide an annual update of their privacy policy regarding their information sharing practices (Federal Trade Commission, 2002). You will need to ask yourself if your company’s privacy policy provided to consumers each year is clear and accurate as well as easy to locate. GLBA’s main provisions consist of: • • •

Financial privacy rule, which affords you the control over how your private information is shared among affiliates. Pretexting provisions, which aim to stop third parties from acquiring your personal information through false pretenses. Safeguard rule, a requirement to establish and maintain safeguards to protect your private information.

Privacy notices apply whenever a company collects nonpublic personal information. How your company gathers and discloses information about consumers is highly regulated by GLBA. If you collect nonpublic personal information directly from the consumer or populate applications with personal information gathered from another source, such as a credit bureau, all the information must be protected by your company. Penalties for violating GLBA can include $100,000 fines for each violation, fines up to $10,000 for each director, and imprisonment up to five years. There are also provisions to double penalties if it is determined that a pattern of illegal activity exists.

111

3.6 Personal Liability As a result of numerous data breaches, with senior management lawyering their way out of responsibility, aggrieved parities have begun to search for others to blame outside of a company’s board of directors. Shareholders and plaintiffs are turning their attention increasingly toward chief information officers (CIO) and chief information security officers (CISO). In 2015, the CIO of the US Office of Personnel Management (OPM), Donna Seymour, was personally named in a $1 billion lawsuit by the American Federation of Government Employees citing her negligence in securing nearly 22 million current and former employee and contractor records.

Did You Know? Mignon Hofmann, a former information security officer at San Francisco State, filed a $1 million lawsuit claiming that she was fired by the university in order to sweep a 2014 hack involving significant exposure of student records “under the rug.” The student records that were involved in the breach included both financial records and password reset functions. How well could your company defend a whistleblower lawsuit? Source:

This was the second breach to occur on her watch. This https://www.bamlawca.com/californialawsuit was poised to set some concerning precedents labor-laws/alleged-hack-firedfor CIOs and CISOs alike. Over the next three years the employee-sues-sf-state-for-1m lawsuit was dismissed as well as reinstated when in June of 2019 the U.S. Court of Appeals for the D.C. Circuit largely sided with two federal employee unions in their lawsuit citing the plaintiffs have standing and the lawsuit can continue (Katz, 2019). All correspondence related to cybersecurity sent by CIOs and CISOs is open for discovery and will be analyzed to determine the duty of care claims. TIP: CIOs and CISOs should send any security assessment reports and correspondence to in-house legal counsel to preserve client-attorney privilege ensuring these types of reports are not available for discovery motions. A file transfer protocol (FTP) server or document management solution can also be used to submit sensitive documents to the legal department to preserve client-attorney privilege.

112

3.6.1 Directors and Officers Insurance Did You Know? In Spec’s Family Partners, Ltd. v Hanover Insurance Co., No. 1720263, 2018 U.S. App. LEXIS 17246 (5th Cir. June 25, 2018), the court of appeals found that a contractual liability exclusion in a management liability policy did not excuse the insurer of its duty to defend its policyholder, a private company, against a claim arising out of a payment card data breach. Does your company’s insurance policy provide adequate coverage for executives? Source: https://policyholderinformer.com/2018/ 08/02/seeking-insurance-coveragefor-data-breach-claims-a-recent-caseconfirms-that-certain-do-policiespotentially-provide-coverage/

If anyone has ever told you that titles don’t matter, well, here is a case in which they do. Directors and officers (D&O) insurance protects the officers and directors, including board members, against allegations of wrongdoing. It protects them against liabilities not already indemnified by the corporation. Companies have this type of insurance because officers and directors can make mistakes and may be personally liable for those mistakes. D&O insurance just may be the time that titles matter. Having the title of security manager rather than chief information security officer may make all the difference in your being covered under the blanket protections of your company’s D&O policy. D&O insurance protects actions of directors, officers, and board members against lawsuits based on failures in employment practices, reporting errors, decisions exceeding authority, and failure to comply with regulations and laws among others. However, D&O policies do not cover any acts of fraud or other types of intentional criminal offenses.

Of importance to you are the protections for failure to comply with regulations or laws. In the event your company is sued for negligence in security controls, will you be covered, and your personal assets protected? D&O policies can vary widely; so it is important that you sit with your business’s insurance risk manager and have a discussion of whether the D&O policy covers you. If not, it may also be time to ask for that raise and change in title! 3.6.2 Preemptive Liability Protection If you feel that your company is not taking your advice to improve cybersecurity and has made public statements overstating its security capabilities, you could take the whistleblower route to mitigate your liability exposure. For example, in August 2013, LifeLock Inc.’s former CISO, Michael Peters, filed whistleblower complaints with the FTC, Securities and Exchange Commission, and the US Department of Labor for LifeLock’s failure to comply with a previous 2010 FTC order to improve security controls. Although it took nearly four years, the FTC filed a motion for contempt against LifeLock, alleging failure to have a comprehensive security program, making false claims about security customers, failing to meet the 2010 recordkeeping requirements, and other claims. LifeLock offered a $20 million settlement that was rejected by the FTC. 113

In 2015, LifeLock settled with the FTC for a little over $100 million. In reaching the final settlement, LifeLock claimed it had complied with the previous order by achieving certification under the Payment Card Industry Data Security Standard (PCI DSS), a proprietary information security standard. LifeLock’s CISO’s report on the inadequacies of their security controls was enough to convince the FTC that the LifeLock’s PCI DSS certification was insufficient to prove the company acted reasonably. The FTC did not need much convincing as several previous enforcement actions over data breaches occurred to companies who also held PCI certifications. In fact, other data breach examples I cite in this book such as Neiman Marcus and Target were all PCI compliant. Several months after Peters filed the whistleblower complaint, he was terminated by LifeLock, prompting him to file a complaint against his former company in March 2014 for violating the whistleblower provisions of the Sarbanes-Oxley Act and Dodd-Frank Act by terminating his employment. Peters, as LifeLock’s CISO, performed an initial risk assessment and determined that his company’s auditing, event logging, incident response, security awareness, security monitoring, and vulnerability testing were far less than the minimum requirements of accepted security practices required by the 2010 FTC order (Ross, 2014). Peters subsequently reached an out of court settlement, and the whistleblower case was dismissed in November 2015. 3.6.3 Cybersecurity Whistleblower Protections Cybersecurity whistleblowers have both legal and financial reward incentives to go public with evidence of company misdeeds that lead to data breaches. However, the laws don’t directly provide protection, but rather protect against retaliation. A subtle, but important point when it comes to defending against a wrongful termination suit. The facts of the case can influence a whistleblower’s standing. For example, did the whistleblower violate confidentiality, steal evidence, fail to properly report, etc. The following are some of the laws that provide protections against whistleblower retaliation: • • • • • •

Dodd-Frank Act. False Claims Act. Financial Institutions Reform Recovery Act. National Defense Authorization Act. Sarbanes-Oxley Act. Whistleblower Protection Act.

Here are some examples of cybersecurity-related whistleblower settlements: •

July, 2019 - Cisco Systems, Inc. agreed to $8 million settlement to resolve allegations it knowingly sold vulnerable video surveillance software to federal, state and local government agencies, exposing government systems to the risk of unauthorized access and the manipulation of vital information. (Constantine Cannon, 2019a)

•

April, 2019 - IT supplier Fortinet agreed to pay more than $500,000 to resolve a False Claims Act (FCA) case brought by a whistleblower alleging that it routinely supplied the 114

government with products made in China and then doctored the products’ labels to make it appear that they complied with the federal Trade Agreements Act. In announcing the settlement, the government emphasized that it was “committed to combatting procurement fraud and cyber risk within U.S. Department of Defense programs.” (Constantine Cannon, 2019b). •

June, 2017 - Electronic health records (EHR) vendor eClinicalWorks agreed to pay $155 million to resolve claims that it misrepresented the capabilities of its software to fraudulently obtain certification required for government payment. While not involving security standards, EHR fraud cases demonstrate the government’s interest in pursuing vendors for misrepresenting software capabilities. (Constantine Cannon, 2019c).

•

November, 2015 - NetCracker Technology Corp., which provided telecommunications network support to the Department of Defense, agreed to pay $11.4 million to settle claims that it used employees without security clearances to perform contract work that it knew required clearances. (Constantine Cannon, 2015).

3.7 Data Disposal Laws If you thought that complying with data privacy and data breach laws would be enough, think again. Your responsibility for protecting the privacy of your customers’ data continues until the data makes it to the grave – in this case, the end of life and ultimate disposal of information. Thirty-five states and Puerto Rico have passed laws governing the destruction and disposal of data (National Conference of State Legislatures, 2019a). This aspect of the data lifecycle is so critical that the FTC has even published a rule on how consumer report information should be disposed (Federal Trade Commission, 2005a). On June 1, 2005, the Fair and Accurate Credit Transactions Act (FACTA) Disposal Rule went into effect requiring you to take appropriate measures to dispose of sensitive information derived from consumers (Federal Trade Commission, 2005b). Take time to review your data lifecycle policy and practices to trace each stop your data makes along the lifecycle to verify that proper privacy protections are implemented including the proper disposal, erasing, or permanent elimination of data no longer required. Table 3-10 is the data compliance lifecycle I developed that has served me well. You may find it useful in tracing your data through your organization.

115

Table 3-10. Data Compliance Lifecycle Stage

Summary

Data creation

Prevent data alteration during creation.

Data use

Prevent data misuse and handling when used.

Data transmission

Prevent data interception and alteration.

Data processing

Prevent data alteration when transformed by processing.

Data storage

Prevent theft, destruction, or errors when backed up.

Data archival

Prevent theft, destruction, loss, or errors when archived.

Data disposal

Prevent reconstitution; ensure total destruction.

3.8 Electronic Wiretap Laws Have you ever wondered if monitoring employee email, website activities, or running surveillance with data loss prevention (DLP) products on employee communications was violating any privacy laws? Well it just may be violating the Electronic Communications Privacy Act (ECPA) if you have not made the proper disclosures. First and foremost, you must ensure that a policy exists and clearly states that your company reserves the right to monitor any digital, audio, or video data sent over company communication lines and networks. Employees need to understand that there should be no expectation of privacy. If you are monitoring data and communications relating to customers, it can be done only if there is a legitimate business need, such as quality assurance, and you have their consent. The ECPA provides for fines and imprisonment of up to five years for violations unless you adhere to the following: •

•

One-Party Consent. The ECPA does not prohibit interception of communications if either the sender or the recipient gives prior consent. However, consent cannot be implied and must be given prior to the interception. Business Use Exception. The ECPA does not prohibit interception if it is conducted within the ordinary course of an employer’s business and the employer has a legal interest in the subject matter of the conversation. TIP: If your company has a bring-your-own-device (BYOD) policy, employees, guests, or contractors need to acknowledge that any courtesy communications provided while they are onsite using their own devices may be monitored as well.

This is an area where you are highly encouraged to meet with your legal department to review and approve employee monitoring policies. 116

3.9 Digital Assistant Privacy Issues So, there is a joke that starts off “If Alexa, Cortana, Siri and Holly go into a bar who can keep a secret?” The punch line is “none of them.” If you’re wondering who Holly is, it’s the default female name for Google’s digital assistant. These devices constantly record information whether it’s wanted or not. Privacy protections built into these devices are questionable at best and could be used in a court of law if subpoenaed. In January 2017, a New Hampshire judge ordered Amazon to release recordings from an Echo device from a house where two women were found dead. In 2015, prosecutors in Bentonville, Arkansas sought to gain information from an Amazon Echo device as well. In both cases Amazon argued that the requests violated the First and Fourth Amendments. In both cases, Amazon vigorously fought to suppress the requests for Alexa recording. Extending First (free speech) and Fourth Amendment (unreasonable search and seizure) rights to artificial intelligence has proponents on both sides of the issue arguing the merits for and against. Ultimately, I feel these issues will end up in the U.S. Supreme to be decided.

3.10 Social Media Privacy If you’re like me, you have at least one social media account. Many of you reading this book will have Facebook and LinkedIn at the very least. What some of you may not know, is that more than just our friends and family can see what we post. Companies have sophisticated social media monitoring software that will scan the Internet looking for your social media impressions. Things you said ten years ago could come back to haunt you in a job search. Some companies even require you to turn over your social media usernames and passwords so they can review your background. This is generally seen as an invasion pf privacy and some states are seeking to prevent companies from forcing you to turnover your social media credentials. Table 3-11 shows which states are actively looking to adopt social media privacy laws. Table 3-11. Social Media Laws State

Legislation

Status

Provisions

Florida

H.B. 493

Pending

Prohibits an employer from requesting or requiring access to a social media account of an employee or prospective employee, prohibits an employer from taking retaliatory personnel action.

Hawaii

H.B. 6

Pending

Adopts uniform laws on protecting the online accounts of employees, unpaid interns, applicants, students, and prospective students from employers and educational institutions.

Massachusetts

H.B 1628

Pending

Social media consumer privacy protection.

117

State

Legislation

Status

Provisions

Minnesota

H.B. 1196

Pending

Protects applicant's and employee's personal usernames and passwords from access by employers, provides for civil enforcement.

New York

A.B. 935

Pending

Uniform Employee and Student Online Privacy Protection Act, relates to the protection of employee and student online accounts.

To date, the states of Delaware (H.B. 109), Illinois (H.B. 4999), Montana (H.B. 343), Nebraska (L.B. 821), Virginia (H.B. 20181) have passed social media privacy laws. There are however three time as many states that have failed their legislative attempts to pass similar laws. To keep up with state activity in passing social media laws checkout http://www.ncsl.org/research/telecommunications-and-information-technology/employer-accessto-social-media-passwords-2013.aspx.

3.11 Event Data Recorder (EDR) Privacy Most of us are unaware that event data recorders have been part of many cars since the mid 1990’s. In fact, EDRs were used in 64 percent of all new model cars in 2005. Fast-forward to today and nearly every car has an EDR. EDRs collect a tremendous amount of data including: • • • • • • • • • • • • • • • • •

Air bag status Braking Child restraints Crash event duration Crash force Crashes Electronics status Engine RPM GPS data Occupants in car Roll angle Seatbelt use Speed Start/stops Steering wheel angle Tire pressure Vehicle speed

When looking at how your car can spy on you it doesn’t take long to arrive at the fact that if you’re in a crash, your car can basically testify against you in a court of law or your insurance 118

company. To prevent abuses of EDR privacy several states have passed EDR privacy laws. Table 3-11 shows a sampling of states with prohibitions on EDR use. Table 3-11. EDR Privacy Laws State

Statute

Prohibition of Data Use

Arkansas

Ark. Code § 23-112-107

Permission cannot be a condition of payment/ settlement of an insurance claim, or of a lease or insurance agreement.

Connecticut

CGS § 14-164aa

Data may not be destroyed or altered after a crash until after a reasonable period to allow law enforcement to obtain a warrant.

Delaware

Del. Code § 3918

Applies to private passenger vehicle insurance issued to individual policyholders.

New Jersey

N.J. Stat. § 39:10B-7 to -9

Prohibits altering or deleting data on a recording device, or knowingly destroying a recording device with the intent to prevent access to or destroy the recorded data within two years after a crash event that resulted in bodily injury or death.

Oregon

Ore. Rev. Stat. §§ 105.925 to .948

Permission cannot be a condition of payment/settlement of an insurance claim, or of a lease or insurance agreement.

Utah

Utah Code § 41-1a-1501 to 1504

Provides that event data recorded on an event data recorder is private and is the personal information of the motor vehicle's owner.

Virginia

Va. Code § 38.2-2212(C)(s),

Insurer cannot refuse to renew an insurance policy solely based in the owner’s refusal to share data

§ 38.2-2213.1, § 46.2-1088.6, § 46.2-1532.2 Washington

Wash. Code § 46.35.010, .020, .030, .040, .050

Insurer cannot adjust rates due solely on the refusal to share data. Requires vehicle manufacturers to ensure that a tool is commercially available and capable of accessing and retrieving data in an EDR.

There are nearly 20 states that have or are about to pass EDR privacy laws. EDRs record information locally to the car, but many also provide a function to upload data to a cloud-based storage device. With hundreds of thousands of automotive accidents and tens of thousands of deaths, law enforcement investigators, prosecutors, and insurance companies want access to

119

these EDRS to prove what happened. The 2015 Driver Privacy Act declared that EDR is the property of the owner or lessee of the vehicle. The 2015 legislation provides that EDR data may be accessed by a person other than the owner or lessee under five circumstances: 1. Court or administrative order. 2. Consent of the owner or lessee. 3. Investigation of a motor vehicle accident by the Secretary of the Treasury or the National Transportation Safety Board, provided personally identifiable information is not disclosed. 4. Emergency medical response to a vehicle crash. 5. Traffic safety research provided personally identifiable information is not disclosed. Courts have gone both for an against the privacy argument and whether extracting EDR data violates a person’s Fourth Amendment Rights when it comes to requiring a search warrant. Table 3-12 provides a summary on two court rulings involving EDR. Table 3-12. EDR Judicial Rulings Case

Ruling

State v. Worsham, 227 So.3d 602 (Fla. Dist, Ct. App. 2017)

For Defendant: Reasonable expectation of privacy in the information retained by an event data recorder and downloading that information without a warrant from an impounded car in the absence of exigent circumstances violated the Fourth Amendment.

People v. Diaz, 153 Cal.Rptr.3d 90 (Cal. App. 4th 2013)

Against Defendant: Specific data obtained from the SDM was the vehicle's speed and braking immediately before the impact. We agree that a person has no reasonable expectation of privacy in speed on a public highway because speed may readily be observed and measured through, for example, radar devices.

TIP: If your organization provides employee cars, pool transportation or other form of vehicle fleet, ensure the privacy policy covers EDR data access and use.

3.12 Automated License Plate Reader (ALPR) Privacy Automated license plate readers (ALPRs) are designed to capture digital images that allow law enforcement to compare license plate numbers against plates of stolen cars or cars driven by individuals wanted on criminal charges. The devices are mounted on police cars, road signs, parking structures or traffic lights. The license plate images are typically sent to a cloud storage device. However, with this type of data and the ability to triangulate with personally identifiable information the potential for data privacy violations exist.

120

Recognizing this potential, several states have enacted ALPR privacy statutes. Table 3-13 presents a summary of ALPR laws within the US. Table 3-13. State ALPR Laws State

Statute

Year Enacted

Data Preservation Period

Arkansas

Ark. Code §§ 12-12-1801 to 12-12-1808

2013

150 Days

California

CA AB1782

2015

60 Days

Colorado

§ 24-72-113

2014

3 Years

Florida

Fla. Stat. 316.0777

2014

30 Months

Maine

29-A M.R.S.A. § 2117-A(2)

2009

21 Days

Montana

Mont. Code Ann. §§ 46-5-117 to -119

2017

90 Days

New Hampshire

N.H. Rev. Stat. Ann. §§ 261.75-b, 236.130

2007

3 minutes

Utah

Utah Code Ann. §§ 41-6a-2001 to -2005

2014

30 Days

As you can see the data preservation period is all over the map. Each of the laws share many of the following passages: • • • • • • •

Prohibits use of ALPRs for any reason other than valid law enforcement investigative purposes. Prohibits sale or sharing outside of valid law enforcement purposes. Expands definition of privacy data to include license plate numbers. Prescribes specific data retention periods. Limits custodial access. Annual reporting of ALPR practices. Restricts access to a law enforcement officer certified in technology.

You will want to include ALPR privacy practices in the event your organization deploys such technology in parking structure of fleet holding areas.

121

Summary If this chapter has left you with anything, it should be that ensuring the privacy of your customers’ data is serious business and that you may be held personally liable if your clients’ secrets make it into the wild. Your involvement in a data breach could make you a central figure in a lawsuit, and you require assurances from your company that you and your assets would be protected from personal liability. You should also realize that your actions related to protecting customer information need to meet or exceed published standards and laws, since that will be the standard against which you will be judged. Privacy is one of the most dynamically changing domains of cybersecurity and will require you to stay abreast of the changes to ensure you have the most current information to guide the protection of your organization’s data.

122

References Brandeis, S, Warren, S. (1890). ‘The Right to Privacy.’’ Harvard Law Review. 193. Retrieved from https://uscivilliberties.org/themes/4559-s-warren-and-l-brandeis-the-right-toprivacy-4-harvard-l-rev-193-1890.html Campbell-Ewald v. Gomez (Supreme Court 2015) Clapper v. Amnesty International USA, et al. (Supreme Court 2013). (District Court for the Southern District of New York 2012) Constantine Cannon, (2019a, July 31). Cisco Whistleblower Represented by Constantine Cannon Wins First-Ever False Claims Act Settlement for Cybersecurity Fraud. [Blog]. Retrieved from https://constantinecannon.com/2019/07/31/cisco-whistleblower-false-claims-actcybersecurity/ Constantine Cannon, (2019b, April 18). Catch of the Week — DOJ Settles False Claims Act Case Against Cybersecurity Company. [Blog]. Retrieved from https://constantinecannon.com/2019/04/18/catch-of-the-week-false-claims-act-caseagainst-cybersecurity-company/ Constantine Cannon, (2019c, June 1). Catch of the Week — Electronic Health Records Vendor Pays Big to Settle False Claims Act Charges. [Blog]. Retrieved from https://constantinecannon.com/2017/06/01/electronic-health-records-vendor-pays-bigsettle-false-claims-act-charges/ Constantine Cannon, (2015, November 6). DOJ Catch of The Week -- NetCracker Technology Corp. [Blog]. Retrieved from https://constantinecannon.com/2015/11/06/doj-catch-ofthe-week-netcracker-technology-corp/ Crane-Murdoch, S. (2013, February 22). On Indian Land, Criminals Can Get Away with Almost Anything. The Atlantic. Retrieved from https://www.theatlantic.com/national/archive/2013/02/on-indian-land-criminals-can-getaway-with-almost-anything/273391/ Davies, J. (2019, July 11). ‘2019 is the Year of Enforcement’: GDPR Fines Have Begun. Digiday. Retrieved from https://digiday.com/media/2019-is-the-year-of-enforcementgdpr-fines-have-begun/ DLA Piper. (2019). Data protection laws of the world. Retrieved from http://www.dlapiperdataprotection.com/ Embry, S. (2016, April 19). State data breach notification laws just got crazier. Law Technology Today. Retrieved from http://www.lawtechnologytoday.org/2016/04/crazy-quilt-workstate-data-breach-notification-laws-just-got-crazier/ 123

Federal Deposit Insurance Corporation. (2005, April 1). Final guidance on response programs: Guidance on response programs for unauthorized access to customer information and customer notice. Financial Institution Letters. Retrieved from https://www.fdic.gov/news/news/financial/2005/fil2705.html Federal Trade Commission. (2002). In brief: The financial privacy requirements of the GrammLeach-Bliley Act. Retrieved from https://www.ftc.gov/tips-advice/businesscenter/guidance/brief-financial-privacy-requirements-gramm-leach-bliley-act#notice Federal Trade Commission. (2005a, June). Disposing of consumer report information? Rule tells how. Retrieved from https://www.ftc.gov/tips-advice/business-center/guidance/disposingconsumer-report-information-rule-tells-how Federal Trade Commission. (2005b, June). FACTA disposal rule goes into effect June 1. Retrieved from https://www.ftc.gov/news-events/press-releases/2005/06/facta-disposalrule-goes-effect-june-1 Federal Trade Commission. (n.d.). COPPA Safe Harbor program [List of currently approved organizations]. Retrieved November 16, 2016 from https://www.ftc.gov/safe-harborprogram First ever HIPAA privacy criminal conviction. (2004, August 26). Retrieved from https://www.crowell.com/NewsEvents/AlertsNewsletters/all/First-Ever-HIPAA-PrivacyCriminal-Conviction Housh v. Peth, 165 Ohio St. 35 (Supreme Court of Ohio 1956) Johnson III, C. (2007, May 22). Safeguarding against and responding to the breach of personally identifiable information (Executive Office of the President, Office of Management and Budget memorandum M-07-16). Retrieved from https://www.whitehouse.gov/sites/default/files/omb/memoranda/fy2007/m07-16.pdf Katz, E. (2019, June 24). Appeals court overrules district-level finding, says federal employee unions have standing to sue. Government Executive. Retreived from https://www.govexec.com/pay-benefits/2019/06/feds-suing-opm-score-early-win-lawsuitover-data-hacks/157970/ Lenhart, A. (2015, April 9). A majority of American teens report access to a computer, game console, smartphone and a tablet. Pew Research Center. Retrieved from http://www.pewinternet.org/2015/04/09/a-majority-of-american-teens-report-access-to-acomputer-game-console-smartphone-and-a-tablet/ National Conference of State Legislatures. (2019a, January 12). Data disposal laws. Retrieved from http://www.ncsl.org/research/telecommunications-and-informationtechnology/data-disposal-laws.aspx

124

National Conference of State Legislatures. (2019b, January 4). Security breach notifications laws. Retrieved from http://www.ncsl.org/research/telecommunications-andinformation-technology/security-breach-notification-laws.aspx Remijas v. Neiman Marcus Group, LLC, No. 14-3122 (7th Cir. 2015) Ross, J. (2014, March 24). Former exec blows whistle on LifeLock. Courthouse News Service. Retrieved from http://www.courthousenews.com/2014/03/24/66399.htm US Department of Health and Human Services. (2016, September 30). Enforcement Highlights. Retrieved November 16, 2016 from http://www.hhs.gov/hipaa/forprofessionals/compliance-enforcement/data/enforcement-highlights/index.html US Department of Health and Human Services, Office for Civil Rights. (n.d.). Breach portal: Notice to the Secretary of HHS breach of unsecured protected health information. Retrieved November 16, 2016 from https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf US Department of the Interior, National Resources Revenue Data. (n.d.). Native American Ownership and Governance of Natural Resources. Retrieved from https://revenuedata.doi.gov/how-it-works/native-american-ownership-governance/ Verizon. (2019). 2019 Data Breach Investigations Report. Retrieved from https://enterprise.verizon.com/resources/reports/2019-data-breach-investigationsreport.pdf

125

Self-Study Questions The following exercises will help you understand international laws relating to cybersecurity and data breach. 1. Review the safe harbor programs and determine which one would be most appropriate for your organization? 2. Determine which international laws apply to your organization by creating an inventory of applicability. 3. Verify your organization keeps records of board meetings where the topic of cybersecurity is discussed. These accountings are the record of your organization’s fiduciary responsibility toward cybersecurity. 4. Verify a policy exists and clearly states that your company reserves the right to monitor any digital, audio, or video data sent over company communication lines and networks to avoid running afoul of Federal wiretap laws. 5. Create a data breach notification timeline reflecting the applicable data privacy laws for your organization. 6. Meet with your legal counsel to review your organization’s security policies compliance with the rule of law. Modify security policies to align with the rule of law. 7. Determine if your organization complies with the General Data Protection Regulation (GDPR). 8. Determine if your organization’s D&O insurance provides coverage for the senior person in charge of cybersecurity. 9. Speak with your organization’s legal counsel and determine what if any policies address whistleblowers in your organization. Create a policy statement to cover whistleblowers. 10. Go to the National Council of State Legislators (NCSL) and identify the data disposal law that applies to your organization. Verify your organization’s compliance.

126

Chapter 4

Cryptography and Digital Forensics Law

In the previous chapter you learned that the ability to keep secrets is a vital trait your company must have especially when those secrets include customers’ personally identifiable information. However, when those secrets are transmitted over the Internet or are left unattended on local or cloud storage devices, they can seep into the wild. One of the ways you can ensure the secrecy of your company and customer information is cryptography, which scrambles data to prevent it from being read by prying eyes. But when things go wrong, you are going to want to know how and why it happened, which is where digital forensics comes in. Through the use of digital forensics, you can identify who is trying to take your customers’ secrets and, if they succeeded, determine what was stolen and how.

This chapter will help you to: • • • • •

Understand the nuances of encryption law. Recognize the role constitutional amendments play in data protection. Leverage safe harbor laws to insulate your company from data breach liability. Understand the legal implications of conducting a forensic investigation. Know how to avoid losing a cybersecurity court case because of poor procedure.

127

4.1 Brief Overview of Cryptography Before I discuss cryptography laws, it is only fair that I provide you with a brief overview of cryptography and how it is used to protect data. Cryptography is the process of transforming readable data (cleartext) into unreadable data (encrypted), and protecting the data while it is stored or transmitted to another party or device. The encrypted data can be accessed only by those you specifically authorized to access the data. They can access the data because you provided them with the keys (encryption key) to unlock the data. For example, if you are the sending party and responsible for encrypting the data and creating the encryption key, the receiving party decrypts the data using the encryption key you provided. Here is where I need to get a little technical, so bear with me. The encryption key is the secret sauce of encryption algorithms. An algorithm is a mathematical formula that performs the encryption on the data turning cleartext into meaningless cipher text or encrypted data. An encryption key is a random set of bits in a cryptography algorithm that is used to jumble data to the point where it can no longer be recognized. The key length is determined by the number of bits in the key. Think of the bits as the notches in your house key; the more notches, the more difficult your lock will be to pick. The longer the encryption key length is, the harder it will be for cybercriminals to crack the encryption code revealing the data. Nearly 20 different key types are used in encryption algorithms. Some examples of bit key lengths include 128, 192, 256, 384, 512, 1024, and 2048. Each bit key length has a projected end of life, which is an estimate of how soon hackers with the right technology could crack the encryption code. For example, the National Insitute of Standards and Technology (NIST) estimated that 2048-bit keys are safe until 2030 (Barker, 2016). Table 4-1 provides a summary of the most popular encryption methods.

128

Table 4-1. Popular Encryption Methods Encryption Method

Overview

Asymmetric key algorithms

Known as public key encryption, this popular algorithm uses different, mathematically related keys for encryption and decryption or a pair of keys. A public key is used to encrypt the message, and a private key is used to decrypt the message.

Elliptic curve algorithms

This is another form of public key encryption that uses an algorithm function over points that belong to elliptic curves. Sounds complicated and it is, but what is important about this method is that it allows smaller keys to be used and the encryption is just as effective as other algorithms. It is gaining in popularity because the smaller keys make the encrypting and decrypting of data fast.

Hash algorithms

Also known as digital fingerprinting algorithms, these algorithms do not use keys, but instead, convert cleartext to a hash value (mixed up data) making it impossible for the contents or length of the plaintext to be recovered. Without the passcode, the process is irreversible. This method is ideal for authenticating messages between senders and receivers. Hashing is not encryption per se; however, it does belong in the encryption discussion.

Symmetric key algorithms

Known as secret or private key encryption, these algorithms share the same key for encryption and decryption. In this example, both parties have access to the secret key. Many security practitioners no longer use this technique because it is considered to be easily compromised by hackers.

Cryptography is at the heart of virtually all data security approaches, and your understanding of the methods used will aid your understanding of cryptography laws as well as how to keep customer data private. For example, certain state encryption laws insulate organizations from data breach notifications if the encryption key was not compromised in a data theft.

4.2 Cryptography Law Cryptography is universally applied throughout the world to protect business, government, and military information. Because cryptography can shape privacy, free speech, and in some cases human rights, many countries regulate cryptography. How can encryption have such an impact on our fundamental rights? Consider the fact that people living under an oppressive regime can use encryption to communicate securely without the threat of going to jail for exercising their freedom of speech. Encryption also enables anonymity of people to disclose the wrongs of their government or others by sharing information without fear of arrest. Programs like WhatsApp, Viber, Line, and Telegram are used by hundreds of millions of people throughout the world to communicate freely using these encryted conversion apps. To learn more about these encrypted communication apps, check out an article by Miriam Cihodariu, Communications and Public Relations Officer at Heimdal Security. 129

https://heimdalsecurity.com/blog/the-best-encrypted-messaging-apps/#.The primary reason encryption has the attention of governing bodies revolves around its dual-use capability, meaning that it can be applied for both commercial and military purposes. Cryptography law or encryption law is legislation that prescribes the conditions and rules by which data should be stored or transmitted in a secure manner to prevent anyone other than the intended audience from gaining access to the data. Some laws even designate who is allowed to encrypt data. If your company is multinational, you will need to know which countries restrict the import or export of cryptographic technology; limit the import of encrypted data; and restrict or prohibit the use of encryption within their borders. TIP: Hold a discussion with your cybersecurity program’s security architect or engineer to make sure your company is in alignment with cryptography laws and to understand the encryption key length used within your organization’s infrastructure components. Be aware that encryption will be found in hardware, software, applications, websites, and networks.

4.2.1 Export Control Laws Laws restrict the export of cryptography technology and encryption code to certain nations, governments, or companies. The US regulates cryptography in the interest of national security. In fact, the US government classifies cryptography as a munition (guns, tanks, bullets, etc.), treating it similarly to military weapons listing it in the Code of Federal Regulations (CFR) US Munitions List (US Munitions List, 2013).

Did You Know? In September of 2019, the Forum of Incident Response and Security Teams, or FIRST suspended Huawei’s membership in response to U.S. rules restricting technology exports to Huawei. Does your company work with

Since 1996, the US has been a participant in the companies that have been Wassenaar Arrangement (WA), so named for the city in restricted? the Netherlands where countries, now numbering 42, Source: have come together to create policies on exporting https://www.wsj.com/articles/huaweiconventional arms and dual-use goods and suspended-from-global-forum-aimedtechnologies. The WA is not a treaty and therefore not at-combating-cyber-security-breacheslegally binding. The US Department of Commerce 11568805324 Bureau of Industry and Security (BIS) does, however, rely on the WA to control the export of encryption technology. I gained quite a bit of experience with the WA while working for a global Internet security software company where we exported intrusion detection systems, firewalls, and other security products internationally. The wrong documentation alone could have cost us a huge fine. One section within the WA’s document List of Dual-Use Goods and Technologies and Munitions List is “Category 5 - Part 2 Information Security” which specifies cryptography export restrictions. This section makes clear that security items or security functions should be 130

considered part of the provisions if they are components of other functions or items. For example, if a controlled encryption technology is on the list and that same technology is used within another product or service, then the product or service containing the technology is also considered on the list. Some exclusions to the list include products accompanying their user for personal use; products that meet all of a specified number of benchmarks including public availability; and unalterable cryptography algorithms. At present, you cannot export encryption technology exceeding 56 bits for key length or equivalent and 512 bits for asymmetric algorithms. The instructions of this section are quite complicated. I recommend that you review this section with your legal department. If you wish to read in detail more about the WA, you can go to its website at www.wassenaar.org. The US classifies export destinations into four country groups (A, B, D, E) according to the Export Administration Regulations (EAR) Supplement No. 1 to Part 740 (US Department of Commerce, 2016). For the export of encryption, groups B, D:1, and E:1 are the most important: • •

•

B – Relaxed Export Control Countries. This category has over 165 countries listed. You can download a copy of the EAR Supplement to ensure that you have the most current list. D:1 – Strict Export Control Countries. Armenia, Azerbaijan, Belarus, Burma, Cambodia, China, Georgia, Iraq, Kazakhstan, Kyrgyzstan, Laos, Libya, Macau, Moldova, Mongolia, Russia, Tajikistan, Turkmenistan, Ukraine, Uzbekistan, and Vietnam. E:1 – Terrorist-Supporting Countries. Cuba, Iran, North Korea, Sudan, and Syria.

During the fall of the Libyan government in 2011, I was advising an energy company that could not remove its licensed encryption technology as they evacuated their foreign workers. I instructed their security team to use any means necessary to destroy the equipment. Had they failed to destroy the equipment, they would have been required to report the fact to the US State Department. The point here is that you will need policies and procedures for removing licensed encryption technology from restricted import countries to ensure that it is not left behind, potentially to fall into the wrong hands. TIP: Your cybersecurity incident response program should include a process to handle the loss or theft of cryptographyembedded technology imported into a restricted country.

131

4.2.1.1 International Traffic in Arms Regulations (ITAR) Did You Know? In October of 2014, Wind River Systems, owned by Intel paid a $750,000 civil fine for selling encryption software to four entities in China that were on the Bureau of Industry and Security (BIS) restricted list. Does your company restrict the use of encryption algorithms used worldwide? Source: https://www.venable.com/insights/publi cations/2014/10/decoding-exportcontrols-does-the-latest-bis-settl

(ITAR 22 - CFR 120-130) controls the export and import of defense-related articles and services on the United States Munitions List (USML). According to the U.S. Government, all manufacturers, exporters, and brokers of defense articles, defense services, or related technical data must be ITAR compliant. Directorate of Defense Trade Controls (DDTC) increased fines effective August 1, 2016, the maximum amount that can be levied as a Civil Monetary Penalty changed. Most notably, for each violation of 22 U.S.C. 2778 charged, the potential civil penalties increased from $500,000 to $1,094,010. That’s an increase of more than 100% per violation (2016, McShane). 4.2.2 Import Control Laws

Some countries restrict the importation of encryption technology for fear of the introduction of nation-state sponsored encryption backdoors. Nation-states are areas where the inhabitants share the same culture, language, and religious beliefs. Think North Korea, Iran, Russia, and China – top hacker havens. (These may be contrasted to sovereign-states, independent nations with complete power over themselves, such as the US and UK.) In our context, these nation-states are areas where hackers promote their political or religious ideology with the financial support and legal protections of their government. Each nation-state would have its own motivations for placing backdoors in their encryption technology to enable spying or introduce security vulnerabilities in their technology infrastructure. The backdoor is a way to access the software undetected by using a second secret programmed opening, or backdoor. Right or wrong, many countries mistrust US technology as they believe the National Security Agency (NSA) places backdoors in US encryption products. You can thank Edward Snowden and WikiLeaks for this perception. As a counter to this and the belief that other countries do the same (China, Russia, etc.), a growing number of countries require the use of their statesponsored encryption algorithms. Another reason for restricting encryption technology is that some countries do not want an encryption technology used within their borders that offers higher-level encryption capability than their standard. In China, import regulations require companies to turn over their encryption source code when selling a product including encryption keys to certain industries such as financial institutions. Many countries such as Russia require a license for importing encryption technology, which includes Internet downloadable encryption software. Violating a nation’s import encryption laws can range from a technical violation sanction to fines and incarceration. Table 4-2 is an inventory 132

of countries requiring an encryption import license that I made from reviewing the Wassenaar Arrangement. Table 4-2. Countries Requiring Encryption Import Licenses Country

Issuing Agency

Belarus

Belarus Ministry of Foreign Affairs or the State Center for Information Security of the Security Council

Burma

Contact the US State Department

China

Beijing Office of State Encryption Administrative Bureau

Hungary

International Import Certificate – contact the US State Department

Iran

Supreme Council for Cultural Revolution

Israel

Director-General of the Ministry of Defense

Kazakhstan

Licensing Commission of the Committee of National Security

Moldova

Ministry of National Security

Morocco

Contact the US State Department

Russia

Federal Security Service & Ministry of Economic Development and Trade (both required)

Saudi Arabia

Virtually banned, contact the US State Department

Tunisia

National Agency for Electronic Certification

Ukraine

Special Telecommunication Systems and Protection of Information of the Security Service of Ukraine

4.2.3 Cryptography Patent Infringement A less common nonetheless very expensive way to run afoul of the law is to infringe on a cryptography patent. Be aware that if you use encryption technology within your company’s products or services without thinking of the patent implications, that act may have costly consequences. If your business is designing an in-house application or developing one for commercial purposes, you should not use copyrighted cryptography code. Instead, you should use open source or encryption code with an expired license. You will need to pay special attention to cryptosystems, which are popular because they contain everything required to generate an encryption key, encrypt the data, and decrypt the data. Take care because such systems contain multiple encryption algorithms, each one potentially covered by its own individual patent. 133

4.2.3.1 Patent Trolls Did You Know? Apple is shutting down stores in east Texas to avoid patent trolling cases in the troll's favorite docket, the Texas Eastern District Court. Does your company know if it violates or infringes upon any patents? Source: https://www.techdirt.com/blog/?compa ny=cryptopeak+solutions

If you are asking yourself how companies could find out about your company’s encryption patent infringement, the answer in patent trolls. Many patents are acquired and held by patent holding companies whose sole purpose is to enforce patents and seek legal damages for those who infringe on their patents. They are referred to as patent trolls. This has resulted in the lucrative business practice of “patent trolling.” Patent trolling gained national attention in 2013 when a group of banks was sued for using patented encryption technology to conform to PCI DSS standards (Kitten, 2013).

If you’re wondering about the degree to which patent trolling is a problem, consider the PricewaterhouseCoopers, LLP 2016 Patent Litigation Study that reported patent infringement cases amounted to $10.2 billion in 2015 settlements, reaching the highest point in 10 years. Lawsuits related to computer hardware and software accounted for 14% or $1.4 billion of the total settlements (Barry, Ansell, Arad, Cartier, & Lee, 2016). Although no specific data exists on encryption cases, they would fall within the computer and software category, and I suspect they alone run into the hundreds of millions of dollars based on the sheer number of encryption patent infringement cases settled in the past few years. In December 2015, CryptoPeak Solutions sued nearly 70 other companies, including Progressive Insurance, Netflix, and Scottrade, over the use of their encryption patent (Cushing, 2015). In May, CryptoPeak Solutions acquired US Patent 6,202,150 for auto-escrowable and autocertifiable cryptosystems TLS-secured websites that operate using elliptic curve cryptography (ECC) (Kumar, 2015). Once CryptoPeak acquired the patent, all that was needed was to troll the Internet looking for companies using the ECC technology to find patent infringers. You may remember my reference to ECC from section 4.1. CryptoPeak Solutions began suing infringing companies in bulk in the Eastern District Court of Texas. Some companies choose to settle, while others chose to battle it out in court. This is an excellent example of jurisdiction, which was covered in Chapter 1, section 1.6. Patent trolls leverage jurisdiction to their advantage. Once patent trolls realized the Eastern District Court of Texas handled 43.6% of all patent infringement cases and that a single judge in the district handles 20% of all patent infringement cases in the US, they began commonly requesting this venue based on the court's experience in this particular field of law (Brachmann, 2016). One of the more consequential changes seen in 2018 has been the impact of the Supreme Court’s May 2017 ruling in TC Heartland v Kraft Food Group Brands LLC. In a rare unanimous decision, the court struck a blow against “forum shopping” by re-establishing restrictions on the 134

appropriate venue for patent infringement suits. Referring to the pre-1990 standard, the court ruled that a case must be brought in the jurisdiction where the company “has a regular and established place of business,” instead of simply any place in which it has sales. Since this ruling, there has been a noticeable shift in patent litigation filings away from the Eastern District of Texas, which had gained a reputation for being a favourable venue for patent owners and their damages claims. A year after the decision, the number of cases filed in the Eastern District of Texas had fallen by two-thirds, from more than 1,600 to 525. Delaware, where many businesses are incorporated, appears to have picked up the largest percentage of those filings, increasing by two-thirds (550 to 907) during the same period. Northern California (the location for many patent-heavy Silicon Valley companies) has also seen a substantial increase, with filings almost doubling to just under 300. In recent years, the rate of success for plaintiffs in patent infringement cases in the Eastern District of Texas has been lower than that in both Delaware and California’s Northern District (Jarosz, Mulhern, McLean, Cartier, & Vigil, 2019). 4.2.3.2 Encryption Patent Cases Encryption patents suits can be part of a patent troll strategy or brought by an aggrieved party. In either case, it is to your benefit to settle amicable out of court as damages for willful infringement can be substantial, not to mention the cost and distraction of long-term litigation. Table 4-5 shows some of the largest recent encryption patent cases. What is important to note is that most of these cases have dragged on for five or more years and have had several conflicting court rulings resulting in numerous appeals.

135

Table 4-5. Encryption Patent Infringement Cases Company

Judgement

Year

Case

Adobe Systems. Inc.

$1,750,000

2018

TecSec Inc., a company founded by a former director of the CIA’s Cryptographic Center, has been pursuing Adobe and several other technology giants. Taken nine years, two judges, multiple law firms, a jury trial and a couple of detours to the U.S. Court of Appeals for the Federal Circuit. But Adobe Systems Inc. is finally out of a lawsuit over encryption patents, with zero damages.

Seagate Technology

$0.0

2018

The two patents related to various aspects of hard disc encryption technology were successfully defended against an infringement case brought by a Taiwanese company. A Federal court ruled the claims were invalid.

$440,000,000

2017

Plaintiff Virent accused Apple of violating patents related to secure communications protocols in FaceTime and other applications,

Apple

Links current as February 10, 2020. TIP: Make it a priority to take an inventory of applications, hardware, and software itemizing each type of encryption used throughout your company. Each method of encryption should be traced to the original patent or its license that enables your company to legally use the encryption program. With expert assistance, you will then be able to assess any patent infringement exposure and put in place corresponding strategies to eliminate the exposure.

4.2.4 Search and Seizure of Encrypted Data Criminals have entered the digital age using laptops, smartphones, and other technologies to commit crimes. Law enforcement is challenged with how to obtain digital evidence without violating the Fourth Amendment. The Fouth Amendment, also commonly referred to as “a man’s home is his castle” doctrine, assures citizens that they are free from unreasonable searches and seizures of property by the government. The rules for seeking physical evidence differ significantly from searching digital evidence. In an era of rapidly evolving law, where the US Supreme Court has even weighed in on the importance of balancing law enforcement requirements with the rights of individuals, it's important for you to understand search and seizure laws. 136

Fourth Amendment “The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.” 4.2.4.1 Digital Search Warrants In almost all cases, a search warrant is required to search for digital evidence. As with a physical evidence search warrant, probable cause is also required in digital search warrants. Some interesting differences exist, however. For example, where a physical search warrant would name a street address, a digital search warrant could name an IP address. In this case, law enforcement would be able to search the digital devices at the other end of an IP address. Law enforcement agencies are training officers in know-how to incorporate digital-specific language in their search warrant application. Executing search warrants becomes complicated when law enforcement realizes the data they seek is encrypted, since seizing a computer with inaccessible data is of no value. 4.2.4.2 Forgone Conclusion Rule The Fifth Amendment becomes involved when law enforcement wants the password for decrypting the seized data. The Fifth Amendment protects citizens from self-incrimination and in this case would prevent law enforcement from compelling someone to disclose what is in their mind, such as a password to encrypted files. However, some courts have used something called forgone conclusion. For example, a forgone conclusion argument could be made if a defendant 1) admits to owning a computer, 2) admits the files were encrypted, and 3) acknowledges they have the ability to decrypt the data. To further the argument for forgone conclusion, the computers must be known to the government and the government must have good reason to suspect the data exists on those computers. Judges have been known to compel a defendant to disclose the encryption keys using forgone conclusion as a reason.

137

Fifth Amendment “No person shall be held to answer for a capital, or otherwise infamous crime, unless on a presentment or indictment of a Grand Jury, except in cases arising in the land or naval forces, or in the Militia, when in actual service in time of War or public danger; nor shall any person be subject for the same offence to be twice put in jeopardy of life or limb; nor shall be compelled in any criminal case to be a witness against himself, nor be deprived of life, liberty, or property, without due process of law; nor shall private property be taken for public use, without just compensation.” 4.2.5 Encryption Personal Use Exemption Next time you are packed and ready to head to the airport for an overseas vacation or business trip, ask yourself, “Will I be violating any laws?” You just may. Some countries ban or significantly regulate the import or export of encryption technology. This includes the laptop you packed for your trip. To ensure you don’t violate international law, you will need to verify if the country you are visiting has a ban on bringing in laptops, smartphones, or other technology with encryption installed. You will also need to remember that once in the country you would not be able to produce any products with the encryption technology you had with you. For example, you could not use the software on the laptop to create PDFs, documents, or other products that were encrypted at a higher encryption level allowed by law. At the very least, you risk having your technology confiscated, or face fines and even incarceration. You are also restricted from creating, enhancing, sharing, selling, or otherwise distributing the encryption technology while visiting, so don’t make copies of software with illegal encryption and hand it out to colleagues or friends when traveling in one of these encryption restricting countries. You can use the following list of the 38 of 41 members of the Wassenaar Arrangement that extend personal use provisions to know where you can bring your laptop and smartphone while traveling. • • • •

North America: Canada and the US. South America: Argentina. Asia-Pacific: Australia, Japan, Republic of Korea (South Korea), and New Zealand. Europe, the Middle East, and Africa: Austria, Belgium, Bulgaria, Croatia, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, South Africa, Spain, Sweden, Switzerland, Turkey, and United Kingdom.

138

4.3 State Encryption Laws In October 2008, Nevada law NRS 597.970 became the first state law specifying the use of encryption for the transmission of electronic data for companies conducting business in the state (London, 2008). The level of seriousness and scope of these state-based encryption rules began to change in May 2009, when Massachusetts passed an encryption law that applies not only to companies doing business in the state, but to every company regardless of location with information on a state citizen. Since that time other states have amended their existing data breach notification laws to include a provision to encrypt information. The most comprehensive state data encryption law that I have seen to date is Washington bill HB 1078 passed in 2015 requiring data encryption that meets or exceeds NIST cryptography standards. I would expect more states in the coming years to pass similar laws. TIP: Begin advising your cybersecurity team now to move toward a NIST or similar standard of encryption if your company does not already leverage the NIST encryption guidelines to protect information. The process could take years, and starting now is the prudent approach.

4.3.1 State Encryption Safe Harbor Provision All states as well as Guam, Purto Rico, and the Virgin Islands have incorporated safe harbor provisions within their data breach statutes (J, Hennessy., C, Howell., M. Overly., J, Rathburn., S, Millendorf., A, Tantleff., (…) & T. Chisena., 2019). A safe harbor provision in this context provides a data breach reporting exception in cases of a data breach where the data was encrypted. Safe harbor provisions – to use a metaphor from the board game Monopoly – are your “Get out of jail free” card. You would need to disclose a data breach only if your data was unencrypted or you used an encryption method that was considered below minimum standards. In reviewing the state data breach laws, I found the following conditions would require a breach notification: • • • • •

When data is unencrypted. When data is encrypted, and the encryption key is disclosed. When data is unredacted. When data encryption does not meet NIST standards. When data encryption does not fulfill 128-bit or higher algorithms.

These reporting exceptions are becoming stricter as states realize that even though companies have encrypted data, they may have left the keys vulnerable to theft. You will need to verify the safe harbor provisions of each state having a data breach rule applicable to your business for you to guide your organization toward a state of compliance properly.

139

4.4 Fifth Amendment and Data Encryption I mentioned in 4.2.1 that the Fifth Amendment protects you from being a witness against yourself. I am sure you have seen just enough of Court TV or CSPAN to see defendants “plead the Fifth.” In the US, the only person who can force someone to reveal information is a judge, and that can only be done if you do not have a valid constitutional right not to disclose the information. The rule that courts normally follow in the US is that the government cannot compel a witness to make a self-incriminating testimonial communication. Does this mean you would not be able to plead the Fifth when asked to disclose your encryption keys? The answer is: maybe not. Testimonial communication sounds fancy, but it is quite simple. Testimonial communication is a situation in which you know something, but if you revealed it, it would incriminate you. Think of it as a secret about yourself. The rationale behind this rule is to avoid forced confessions. It is important for you to note that your company or corporate entities, in general, do not have the right to “plead the Fifth” as it only applies to individuals. Testimonial communication is what is in your mind, not what is in your possession. Another way to look at it is the combination of a lock vs. an encryption key. The police can compel you to turn over a physical key to a lock, but not the encryption password that you memorized. Law enforcement can fingerprint you without your consent or violating your rights, but what about biometric fingerprint authentication? This is something that you have and not something you know. Law enforcement could require or force you to swipe your finger to unlock data basically in the same manner they require a fingerprint at the police station. I am waiting for the first case like this to see if this would ever happen. TIP: To preserve your right of no self-incrimination, use a combination of fingerprint authentication and a passcode or passphrase. In the event you were forced to swipe your finger on the biometric pad, you would still have a secret code. This is referred to as two-factor authentication.

How does this apply to the digital world when the government requests your data? The encryption of digital documents has complicated search and seizure warrants. Can someone be compelled to give up their passwords or encryption keys to seized data? Presently the US does not have a key disclosure law making it illegal for law enforcement to request or force a user to turn over passwords or encryption keys. Absent of a key disclosure law, US courts have still issued subpoenas compelling individuals or companies to provide the password or keys to access encrypted data. Court opinions on convincing users to decrypt their data have varied widely. Some rulings have stated that if law enforcement is confident of the contents of an encrypted disk, then surrendering the encryption keys do not violate self-incrimination. However, the US Court of Appeals for the Eleventh Circuit ruled on 24 February 2012 that forcing the decryption of one's laptop violates the Fifth Amendment (United States v. Doe, 1988).

140

The controversy over encryption key disclosure was also played out in the media when the Federal Bureau of Investigation (FBI) issued a National Security Letter in 2013 to an encrypted email service called Lavabit LLC. The FBI wanted to access the emails of Edward Snowden, one of Lavabit’s 410,000 customers. The company chose to go out of business rather than turn over their private keys. Now that is really keeping a secret! The 2016 Apple case is another example of a case in which the government has requested a company to decrypt data. Here, following the tragic December 2015 San Bernardino, CA terrorist attack, the FBI wanted to compel Apple to recover data from the iPhone of one of the shooters. The FBI was so determined to force Apple to unlock the iPhone that it found a judge to issue an order based on a 227-year old law called the All Writs Act (Lewis, 2016). Basically, an All Writs Act allows a judge wide latitude to issue just about any type of court order to compel companies or people to do something within the limits of the law without exactly citing a particular law. The difference between the Lavabit and Apple cases is that Apple had the financial resources and legal team to resist the government order. The FBI in light of losing the court option to force Apple to unlock the shooter's iPhone ultimately paid nearly one million dollars to have the phone unlocked.

4.5 Laws and Regulations Requiring Encryption A growing number of laws and regulations now require data encryption for data-at-rest and datain-transit. Some of the laws and regulations state you may use something other than encryption if it is deemed more capable; however, frankly nothing is more effective than encrypting data. Knowing which laws, and what level of encryption is required, can mean all the difference in whether your company is sanctioned, fined, or sued following a data breach. Table 4-3 is a list of significant US encryption laws and regulations of which you should be aware. Table 4-3. Significant US Encryption Laws and Regulations Governing Body

Statute

Department of Health and Human Services (HHS)

2003 – Health Insurance Reform: Security Standards – Section §164.306 requires the encryption of PHI based on a risk assessment.

Department of the Treasury, Office of Foreign Assets Control (OFAC)

2004 – 31 CFR Parts 500 to 597 restricts the shipment of advanced technology to restricted countries.

Financial Industry Regulatory Authority (FINRA)

2015 – Regulation S-P of the Securities Exchange Act of 1934 (Regulation S-P, 17 CFR §248.30), Rule 30, requires that all registered stock brokers, dealers, and investment companies implement safeguards to protect customer records and information. Since the rule went into effect, there have been 13 Disciplinary

141

Governing Body

Statute Letters issued through September 2016 including over $3 million in fines.

Internal Revenue Service (IRS)

2014 – IRS Publication 1075 – Requires the IRS as well as all local, state, and federal governments receiving personal tax information to follow NIST encryption standards to protect personal and financial data.

US Department of State – Directorate of Defense Trade Controls

1976 – International Traffic in Arms Regulation (ITAR) – Controls on military items and technologies – Department of State, Directorate of Defense Trade Controls (DDTC) – Arms Export Control Act (AECA) – 22 CFR Parts 120 to 130. Ensures that advanced encryption technology does not get into the wrong hands.

US Patent and Trademark Office

1998 – Digital Millennium Copyright Act (DMCA) – Prohibits the creation, transmission, and dissemination of encryption software that reduces the legitimacy of US encryption algorithms. The act restricts encryption methods which threaten the integrity of Digital Rights Management (DRM) encryption.

Links current as February 10, 2020.

4.6 International Cryptography Law Perspective Encryption has become a global issue just as data sharing is a global business imperative. Many countries have passed data encryption legislation that specifies what should be encrypted, who should own the keys, what type of encryption can be used, and where encryption should apply. In fact, there has been some discussion among world leaders and technologists about creating global encryption legislation or at the very least a standard. This debate is likely to be ongoing as many countries disagree about issues relating to government backdoors, violations of free speech, and impacts on human rights. I expect that the nationalist stance on data encryption laws will prevail in light of widely publicized document leaks (WikiLeaks) and the US states’ concern over other governments having access to their information. In fact, some of my customers have shared with me that encryption laws and their vagaries have affected their global competitiveness. Having worked for a global company, I learned that China, France, Hong Kong, Israel, and Russia are the most aggressive enforcers of encryption law. Thus, I advise you to review encryption not only as a privacy-preserving technology but also as a business-driver. Table 4-4 is a list of important international encryption laws and regulations of which you should be aware.

142

Table 4-4. Important International Encryption Laws and Regulations Country Australia

China

Denmark

Nigeria

Turkey

Statute

Core Provisions

Date

Status

Assistance and Access Act 2018

December 6, 2019

Law

• Request private users’ information from tech companies. • Monitor companies that use cryptography.

People's Republic of China Cryptography Law

January 1, 2020

Law

• Core cryptography and ordinary cryptography. • Commercial cryptography. • Legal liabilities.

2018 Danish Data Protection Act

May 23, 2019

Regulation

• Encryption must be used when transmitting confidential and sensitive information via email over an open network (such as the internet).

NITDA Data Protection Regulation 2019

January 25, 2019

Regulation

• Obligates anyone or any organization involved in data processing or the control of data to develop security measures to protect such data with data encryption technologies.

Law No. 6698 on Protection of Personal Data

April 7, 2016

Law

• Based on EU GDPR. • Breach of the secrecy of private life, unlawful registration, acquisition or transfer of personal data and failure to properly destroy personal data while under an obligation to do so are criminal acts.

4.7 International Key Disclosure Law Key disclosure laws are legislation that requires individuals to surrender their cryptographic keys to law enforcement upon request. In my former role as a global cybersecurity architect, I have found that at least 14 countries have a key disclosure law. You may make a sigh of relief, as the US presently has no such law. The purpose of these types of laws is to enable law enforcement to perform digital forensics without the risk of damaging evidence in the course of attempting decryption. One of my tasks working for a global oil and gas company was writing travel advisories. I found while writing advisories for Australia, Canada, France, India, South Africa, United Kingdom, and few others that key disclosure laws varied in procedure and penalties with incarcerations ranging from a few months to others that included multi-year prison terms. Some of these countries have even entertained adding a third-party key escrow provision where companies would have to deposit their encryption keys with a third-party escrow service to be only accessed by law enforcement. 143

TIP: A policy should be published instructing employees traveling to countries with key disclosure laws how to respond to law enforcement requests to surrender their encryption key passwords.

4.8 Legal Aspects of Digital Forensics One of the most legally defined domains of cybersecurity is digital forensics. Evolving regulations and case law have affected how digital evidence is gathered and presented in a court of law. Digital forensic experts not only must have a tradecraft in cybercrime investigations, but also a working knowledge of the laws that govern evidence collection. Lack of care and attention to forensics law involving the collection of digital evidence can make that evidence inadmissible in court. 4.8.1 Preservation Order In the event a lawsuit is filed against your company, and suspicions arise that data material to the case may be altered or destroyed, a court can issue you a preservation order. Such an order instructs you, the defendant, to refrain from destroying data before the issuance of a search warrant, or in civil case, formal electronic discovery. Complying with preservation orders can prove to be very disruptive to business operations. Freezing information and preventing it from alteration or loss can be complex, especially when the court-ordered preserved data is comingled with normal production data. For example, you may need to solve service level agreement disputes when certain data are not available for use when required. Courts will evaluate the need to issue your company a preservation order based on the following criteria: 1. Can it be demonstrated that you will likely destroy data if not protected? 2. Will irreparable harm be caused to the plaintiffs if the order is not issued? 3. What is the burden imposed on your company if the order is granted? I gained quite a bit of experience in the area of preservation orders while working at an international hardware and services company with 300,000 employees and over $100 billion in annual revenue. In the normal course of business, we were sued numerous times and with each lawsuit came a preservation order. The main problem we faced was that preservation orders were in force for years. The length of preservation orders forced us to deal with situations such as loss of computer equipment with court-ordered data and the retirement of employees processing preserved data. You will need policies and procedures on how to backup and protect preservation order information when desktops and laptops are replaced, personnel change jobs and are no longer covered by the order, or any number of other scenarios. 4.8.1.1 “F” Letter When a criminal investigation involves email discovery it is common practice to issue a preservation letter to the email provider to ensure emails are not deleted as a matter of course. The provision was added in 1996, as Section 804 of the Antiterrorism and Effective Death 144

Penalty Act, to deal with the problem of routinely deleted company records (Kerr, 2016). The preservation letter is a heads-up to the email provider that a formal court order is on the way and they should preserve emails. ISPs store emails for varying periods of time, typically 60 days to several months. The preservation order ensures email accounts on the cusp of deletion are held for an investigation. F letters provide a 90-day content hold, with another 90-days for a renewal request. Preservation letters are referred to as “F” letters because of their legal name, 18 U.S.C. 2703(f). The text in an F letter includes: •

(f) Requirement To Preserve Evidence. (1) In general. A provider of wire or electronic communication services or a remote computing service, upon the request of a governmental entity, shall take all necessary steps to preserve records and other evidence in its possession pending the issuance of a court order or other process. (2) Period of retention. Records referred to in paragraph (1) shall be retained for a period of 90 days, which shall be extended for an additional 90-day period upon a renewed request by the governmental entity.

4.8.1.2 Fourth Amendment Implications of Preservation Orders Courts generally reject service provider requests to block preservation orders on the grounds of the Fourth Amendment. The rational is that third parties cannot raise amendment claims on behalf of their customers. The Fourth Amendment of the U.S. Constitution provides that “[t]he right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.” What is important about contesting a preservation order is understanding that the Fourth Amendment does not guarantee protection from all searches and seizures, but only those done by the government and deemed unreasonable (Kim, 2017). TIP: Preservation orders can live for many years; you will need to design and implement a process of reminders to users covered under a preservation order at least every six months to retain all information specified in the order. You will also need to define strategies to preserve information throughout the technology lifecycle and conduct sample validations that data specified by the order still exists.

4.8.2 Digital Best Evidence Rule Working more than my fair share of investigations, I was always asked, “How do you provide the best digital evidence to support a lawsuit in which your company is involved?” You might be asking yourself that if you can just make a copy of data on a hard drive, will a printout do just as well? Thankfully, under the US Federal Rules of Evidence, there is a rule to cover those questions. This rule is called the best evidence rule, meaning that when a plaintiff or defendant 145

(you) wishes to submit evidence to a court, that evidence must be the original or the best you can find. You will need to provide a full explanation of why an original cannot be produced. In the case of digital evidence, it is technically and logistically impossible to ship a computer system with attached storage devices to a courtroom or send to a plaintiff for discovery. The only valid way to offer the evidence is to make a copy of the data that resides on the storage drive. You will need to provide assurances that the use of this secondary evidence will meet the criteria specified by the best evidence rule. Under the Federal Rules of Evidence, a printout or readable output of data stored in a computer that reflects the original document can be deemed to be the original. Because digital evidence can be subject to alteration and its authenticity is often challenged in court, you will need to prove the authenticity of the information provided. The following are the types of digital evidence admissible in court: • • • • •

Computer stored/generated documents. Email. Social network communications and postings. Text messages. Website data. TIP: In the eyes of the court, a forensically protected image of a hard drive is equal to the original hard drive. In an investigation, forensic experts use the first image of a hard drive, referred to as the best evidence, because it is closest to the source.

4.8.3 Digital Chain of Custody One of the ways to prove the authenticity of evidence and that it has not been altered is to carefully track its gathering to submittal, or in other words its chain of custody. You will need to know who came into contact with the evidence and why. Chain of custody issues are critically important if you are going to submit digital evidence in a court of law, particularly how you acquired, protected, and tracked the evidence. The level of seriousness of the offense should dictate the degree of professionalism invested in the chain of custody. An internal employee investigation involving sexting to another employee can be done more casually than a class action lawsuit or cybercrime offense where the evidence will be required in a court of law. I have seen many instances of methodically collected digital evidence challenged and dismissed from a court case for lack of proper chain of custody. You will be responsible for creating, documenting, and maintaining a chain of custody for each item of evidence. Accomplishing this should include visual proof of evidence retrievals, such as pictures or videos. It will enforce your claims of authenticity and admissibility of the evidence in the courtroom if you video record the digital evidence gathering.

146

4.8.4 Digital Data Admissibility in Court Digital evidence admissibility refers to the requirements for admitting evidence in a civil or criminal cybercrime. Before evidence can be admitted, both the plaintiff and defendant can argue the weight or merits of the evidence to challenge its admissibility. Common arguments against the admissibility of evidence involve the technology used to collect the evidence and whether the evidence was somehow modified during collection or within the chain of custody. When gathering digital forensic evidence, you must satisfy three conditions: • • •

The authenticity of the data – is the data original and not altered or corrupted after its creation? The relevancy of the data – can the data help prove the claim in question? The reliability of the data – is the data complete and accurate to support a claim?

It is not enough that you may be able to provide proof of the offense; you must also prove that the methods used meet the above criteria the courts will use to judge the admissibility of the evidence. You don’t want a case that you’re involved in to be tossed because of sloppy evidence gathering. 4.8.5 Digital Evidence Spoliation

Did You Know?

Spoliation is hiding, destroying, or altering information that is evidence. Spoliation of digital evidence occurs when a party violates its duty to preserve data under a preservation order. While spoliation can occur accidentally or intentionally, willful destruction of digital information can draw harsh penalties including fines and incarceration. Spoliation can occur only after a lawsuit or issuance of a court order – before that, the information was yours to do with what you wished.

In 2018, a Judge ruled in the hacking case of Folino v. Hines initiated under the Computer Fraud and Abuse Act that the defendant blatantly and intentionally spoliated critical evidence. The defendant was fined the costs of bringing the motion as well as the cost of performing the forensic analysis.

Courts will also evaluate pre-litigation spoliation if they feel you knew a lawsuit was imminent. Courts have rather broad powers when it comes to determining spoliation. They will weigh your organization’s data retention policies, your intent, and how material the data would be to the case. Your answers to those questions will determine if the spoliation was negligent or criminal.

Do you have procedures for prevention of evidence spoliation? Source: https://igguru.net/2019/06/10/courtconcludes-that-egregious-spoliationwarrants-harshest-sanctionavailable/0223/00562941657/appleshutting-down-stores-east-texas-toavoid-patent-trolling-cases-trollsfavorite-docket.shtml

Spoliation has become part of tort law with all states now having spoliation evidence laws.In an example of non-willful spoliation, a court found that Prudential Insurance Co. did not willfully destroy data but that their actions were negligent nonetheless and imposed a $1 million sanction (Prudential Insurance Company of America Sales 147

Practice Litigation, 2001). The lesson here is the court may not find you intended spoliation, but it may fine you for poor data management practices. In 2016, the highly visible data spoliation case of Move v. Zillow found that a former Move executive destroyed computer evidence that would have proved he stole confidential information from Move to use at Zillow. The court held a spoliation hearing to establish if the destruction of the data was too great to allow a fair trial. As a result of the hearing, the judge allowed Move to inform the jury of the spoliation and describe how it hurt their case. Zillow agreed to pay $130 million to Move to settle the case shortly thereafter (Collins, 2016). I would hazard a guess that Zillow realized how damaging the evidence of destroying data would be to their case and subsequently chose to settle the case rather than to continue the trial, risking a more expensive jury outcome. Did You Know? You can locate cybercrime expert witnesses from the organization The Expert Institute. Does your company have access to expert witnesses who can be retained in the event of a legal proceeding? Source:

https://www.theexpertinstitute.com/ about/

As a manager, you have a duty to protect data before and after litigation. Data spoliation is considered a serious legal offense and you could end up serving time. TIP: Be sure that your data retention program includes spoliation prevention policies. A court will look at your documented data retention practices to evaluate accidental spoliation. Data that is normally scheduled for deletion could be viewed as a normal event rather than under suspicion for spoliation.

4.8.6 Fourth Amendment Rights and Digital Evidence

On May 27, 2016 the US Court of Appeals for the Second Circuit waded into these waters with an en banc panel (full panel of judges) in their decision in United States v. Ganias. This case was to answer the question, how long and for what purpose can the government keep seized data acquired outside or ancillary to the original warrant. In this case, the government seized a large cache of data and then determined what was really required off-site. The unneeded data was not returned after two years. The owner of the data, Ganias, an accountant was not suspected in any wrongdoing, but some of his clients were. However, investigators used his data to look for his wrongdoing outside of the scope of the original investigation and warrant. Ganias asserted that this constituted a violation of the Fourth Amendment of prohibition on unreasonable seizures. The court agreed with the assertion of a violation of the Fourth Amendment. Using write-blocking software and a process like “selective imaging,” not only is it possible to quickly search through large amounts of data on-site, but it is also possible to preserve any responsive data in an efficient and reliable way that allows it to be used later in court. One prominent approach is the use of “digital evidence bags” that allow investigators to safely search and acquire data on-site, together with any relevant metadata, and package it using digital keys designed to assure the data’s provenance for authentication and use at trial. (Price, 2016) 148

The message sent by this ruling is that judges should limit the scope of warrants of digital data to only what is needed and necessary. Today’s digital forensics is sophisticated to this point. The ruling by the court does not eliminate the practice but makes it more of a rare occurrence. 4.8.7 Expert Witnesses Did You Know? Sen. Dianne Feinstein, the top Democrat on the Senate committee that oversees the FBI, said publicly that the government paid $900,000 to break into the locked iPhone of a gunman in the San Bernardino, California, shootings, even though the FBI considers the figure to be classified information. Source: https://www.cnbc.com/2017/05/05/dian ne-feinstein-reveals-fbi-paid-900000to-hack-into-killers-iphone.html

In the event you are involved in a cybersecurity case, you will need at least one expert witness to side with your argument. Selecting computer forensic experts must be done with great care since your experts will have to hold up to cross-examination concerning their expertise. During my first time as an expert witness, I was surprised at how opposing council studied my background in detail and challenged every aspect of it in an attempt to discredit me. Fortunately, the judge interrupted after 45 minutes of grilling and declared that I clearly met the criteria of an expert witness.

The experts selected should also have experience in testifying under oath and communicating simply and effectively to a lay jury. Most times companies have already hired forensic experts before a lawsuit is even filed. There is some risk that the plaintiff may question the expertise of your expert witness and how the data was gathered. In the event this occurs, you may be required to start over and formally request the appointment of a neutral third party to perform the forensic investigation. In the event this occurs, remember that the expert witness is serving as an officer of the court who will be impartial to the plaintiff and defendant. 4.8.8 Security Consultant Client Privilege We have all heard about client-attorney privilege, but what about security consultant-client privilege? If you hired an outside security consulting firm to investigate a data breach, would you be able to keep the results of their investigation out of court? You just may be able to, based on a key data breach litigation ruling made by the Middle District Court of Tennessee in the Genesco, Inc. v. Visa U.S.A., Inc. case. The court ruled that Visa could not have access to security assessment reports produced by two security consulting companies hired by Genesco (Genesco, Inc. v. Visa U.S.A., Inc., 2013). That ruling is clearly good news. In re Premera Blue Cross Customer Data Security Breach Litigation, 296 F. Supp. 3d 1230 a court found that many of the documents Premera sought to withhold as privileged would have been prepared regardless of any breach. Before the breach, Premera had retained the services of a third-party vendor to review its data management system. (D. Or. 2017). Once the breach was discovered, Premera retained outside counsel, who entered into an amended statement of work with the vendor, requiring the vendor to report to counsel. The court rejected 149

Premera’s argument that all work done after that amendment was privileged, noting that the scope of work being performed by the vendor remained unchanged. The court did hold, however, that draft reports sent to counsel for review were privileged. The court ruled that the assessment reports were protected by client-attorney privilege. This ruling is important, as it confirms that cybersecurity consultants’ work product and communications are confidential when counsel retains the consultants for the purpose of obtaining technical assistance to enable counsel to render legal advice to a client. For this to be true, legal counsel must be the lead in a security investigation.

4.9 State Digital Forensics Law You may be surprised to learn that a growing number of states require licensed private investigators (PI) to be involved in digital forensic investigations for the evidence to be admissible in a court of law. I have lived in four states (Georgia, Michigan, New York, and Texas) with laws requiring PI involvement in digital forensic investigations. I was curious which other states also had that requirement and found California and Nevada now require PI involvement (Legal Compliance, n.d., para. 4). I have talked to colleagues who tell me that they have found other states going a bit further than a PI license by requiring a Digital Forensic Examiners license or a minimum of three years as a sworn law enforcement officer. It is important for you to research the forensics laws in your state. I first came across the PI requirement in 2008 while working with a Texas-based company investigating a breach of security. I was asked to review the findings of their recent forensics’ investigation. As this was my first time working a forensics case in Texas, I familiarized myself with the rules of evidence. It was at that point that I realized my client could not submit any of their proof in a Texas court of law. What the client would soon learn was that a year earlier Texas passed the Private Security Act requiring that a licensed PI collect forensic evidence for it to be admissible in a state court. Their hard lessons were that evidence was illegally acquired, a violation of the chain of custody occurred, and they could not terminate the employee they suspected of committing the offense. It is important to understand whether your state has licensure requirements for conducting digital forensics. The consequences of not knowing could be substantial. To see just how impactful conducting an illegal digital forensics investigation can be, look at Michigan’s penalties. The Michigan law states, “If a person performs computer forensic work without being licensed, then the violator is guilty of a felony and subject to imprisonment for up to four years, a civil fine up to $25,000 or a criminal fine of up to $5,000.” I think you would agree that a little homework is worth the effort. Table 4-5 provide a summary of the states that indirectly suggest or directly require that you include a licensed investigator on the forensic team if you intend to use that data in a court of law. 150

Table 4-5. State Digital Forensic Investigation Requirements State California

Statute CA Business & Professions Code § 3-11.3-7512-7573; §3-11.3-7522 Exemptions

Florida

Florida Statutes §32-493

Georgia

Georgia Code §43-38-14

Michigan

Michigan Compiled Laws §338-821 to 851

Missouri

Missouri 2010 Revised Statutes § 22-324-1100 to 1148

Nevada

Nevada Revised Statutes Title 54, Chapter 648

North Carolina

North Carolina Statutes §74C-1-1 to 30

New York Texas

New York Revised Statutes GBS, Article 7, Sections 7089A: Private Investigators Texas Statutes Title 10 Chapter 1702

4.10 The CLOUD Act H.R.1625-866, The Clarifying Lawful Overseas Use of Data (CLOUD) Act, which is part of the Consolidated Appropriations Act of 2018 became law on March 23, 2018. The Act provides that U.S. law-enforcement orders issued under the Stored Communications Act (SCA) may reach certain data located in other countries. This Act should improve requests for forensic and discovery data. The two key elements of the CLOUD Act are: •

•

U.S. Access to Foreign Stored Data – The Act authorizes U.S. law enforcement to unilaterally demand access to data stored outside the U.S. When the U.S. orders a company to produce communications data, the Act provides a mechanism for a communications provider to challenge the order if disclosing the data would risk violating foreign law. Under the CLOUD Act, the legal protection of an individual’s rights depends on the objection by a provider. Individuals cannot challenge an order under the CLOUD Act. Courts will consider a provider’s challenge of an order for disclosure of data in the context of foreign interests at stake. However, U.S. courts can require production of that data despite the objection, even where the laws of another nation would be violated. Executive Agreements –The Act permits federal officials to enter into executive agreements granting foreign access to data stored in the U.S., even if that data would 151

otherwise be protected under The Electronic Communications Privacy Act (ECPA). Prior to foreign access, the foreign government must meet standards of protections to ensure privacy and civil liberties.

4.11 Emerging Data Encryption Laws When encryption was originally envisioned it was primarily designed to protect information from being used by bad actors once stolen. Authors of original encryption algorithms never really thought that governments would want to have access to their encryption programs nor was it imagined that dozens of laws would be passed to regulate how encryption should be used. In an effort to bring sanity to the uncontrolled growth of encryption regulations, two important laws have been introduced. One is essentially to have one national encryption law applicable to all states and the other is to keep government from interfering with encryption technology. 4.11.1 Ensuring National Constitutional Rights for Your Private Telecommunications (ENCRYPT) Act For the second time, H.R. 4170 – Ensuring National Constitutional Rights for Your Private Telecommunications (ENCRYPT) Act was introduced in the US Congress in August of 2019. The ENCRYPT Act would trump state and local government encryption laws to provide a uniform, national encryption policy. With each state having their own data encryption requirement, it can be exceedingly difficult for organizations to understand yet comply with these disparate state laws. The ENCRYPT Act was originally introduced in 2016 (H.R. 4528); however, lacked enough support in Congress to pass. With new encryption laws from California and New York, this Act makes more sense now than ever before. 4.11.2 Secure Data Act Manufacturers of hardware and software have long been concerned about a government requirement to include a backdoor to aid government surveillance and search and seizure warrants. H.R. 5823 – Secure Data Act of 2018 is designed to protect manufacturers from just such government interference. This bill prohibits any federal agency from requiring manufacturers of electronic devices made available to the public at large from including security functions that can be used for government spying or access to data on the device even if encrypted.

4.12 Biometrics Law With a reported 62% of organizations already deploying biometric technology (Tsai, 2018) to secure access to sensitive information and assets, it was only a matter of time before legislation would be passed to prevent abuses of biometric technologies. Biometrics can include facial recognition, voice, retinal, signature, keystrokes and other ways of discerning the identity of someone. As you might imagine, personally identifiable (PI) information is divulged with each biometric scan. Biometric scanning also begs the question, “where is all that personal data going?” To protect the most personal of personally identifiable data (biometrics), several states have enacted laws regulating biometric use. Table 4-6 identifies states with existing biometric laws. 152

Table 4-6. State Biometric Laws State Arkansas

Law Arkansas Code §4-110-103(7)

California

California Consumer Privacy Act (CCPA)

Illinois

Biometric Information Privacy Act

New York

Stop Hacks and Improve Electronic Data Security (SHIELD) Act

Texas

Texas Business and Commerce Code - BUS & COM 503.001 Capture or Use of Biometric Identifier

Washington

Washington House Bill 1493 (2017)

Summary Biometrics within its data breach response law to include an individual’s voiceprint, handprint, fingerprint, DNA, retinal/iris scan, hand geometry, faceprint or any other unique biological characteristic, if the characteristic is used by the owner or licensee to uniquely authenticate the individual’s identity. Definition PI includes biometric data, which the CCPA broadly defines to include physiological, biological and behavioral characteristics. First state to regulate the collection, use and disclosure of biometric data in its own unique and discrete context. Multiple states have utilized BIPA as a model for biometric protections. PI includes biometric information, such as a fingerprint, voiceprint, retina or iris image, or other unique physical or digital representation of biometric data, which is used to authenticate or ascertain the individual’s identity. Prohibits the capture of an individual’s biometric identifiers for a commercial purpose unless the individual is first informed and consents. Also limits the sale or disclosure of an individual’s biometric identifiers except under limited circumstances. Biometric data refers to information generated by the automatic measurement of an individual’s biological characteristic such as a fingerprint, voiceprint, retina, iris, or other unique biological pattern or characteristic used to identify a specific individual.

Effective 2019

2020

2008

2020

2009

2017

It is still too soon to tell if regulating biometric data is more of a hinderance than a true privacy protection. A national debate is needed on whether biometrics encroaches on our civil liberties or is it a valuable security authentication method. In any event, privacy managers should evaluate 153

the biometric laws applicable to their businesses and/or geography and make any needed changes to existing privacy policies. I expect more states to enact biometric laws or at the very least include biometric data as part of their PI definition in existing privacy laws. Tsai, P. (2018, March 12). Data Snapshot: Biometrics in the Workplace Commonplace, but are They Secure? Spiceworks. [Blog]. Retrieved from https://community.spiceworks.com/security/articles/2952-data-snapshot-biometrics-in-theworkplace-commonplace-but-are-they-secure

4.13 Genetic Information Privacy Laws The use of genetic information has moved from the healthcare lab to our homes where we can order up any number of genetic testing kits to tell us our health and ancestry information. Like biometrics, genetic data can be used to identify individuals. Current healthcare regulations and laws such as HIPAA only apply to organizations if they are either a covered entity or the business associate. This leaves a large gap in privacy regulations of genetic information. I was surprised to learn that some of the largest DNA matching companies like Ancestry.com and 23andMe are not covered by HIPAA. With no federal genetic privacy laws, states are taking steps to safeguard the genetic privacy of their citizens. States with existing privacy legislation require written consent to release genetic data, restrict how it can be used, and require certain privacy controls to prevent unauthorized disclosures. Table 4-7 identifies several states with data privacy laws, which cover genetic data. Table 4-7. State Genetic Data Privacy Laws Law

Consent Required to Access

Defined as Personal Property

Penalties for Privacy Violations

§18.13.010-100

Yes

Yes

Yes

§16.2.1220 to §16.2.1227

Yes

Yes

Yes

Florida

§760.40

Yes

Yes

Yes

Georgia

§760.40

Yes

Yes

Yes

Massachusetts

§111.70G

Yes

Yes

Yes

New York

CVR §79-L

Yes

Yes

Yes

§38-93-10 to §38-93-60

Yes

Yes

Yes

§18:9331 to §18:9335

Yes

Yes

Yes

State Alaska Delaware

South Carolina Vermont

154

Summary This chapter showed you the legal dos and don’ts of data encryption as well as some unique ways your company can violate encryption laws. You may never have thought about being sued by a patent troll before reading this chapter. And who would have thought you needed to hire Dick Tracy to perform your digital forensics? Because it is not a matter of “if,” but “when,” your company is involved in a cybersecurity lawsuit, you should now have an understanding of the processes involved in gathering and protecting evidence.

155

References Barker, E. (2016, January). Recommendation for key management. Part 1: General. (US Department of Commerce, National Institute of Standards. NIST Special Publication 80057 Pt. 1 Rev. 4). Retrieved from http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r4.pdf Barry, C., Ansell, L., Arad, R., Cartier, M., & Lee, H. (2016, May). 2016 patent litigation study: Are we at an inflection point?. Retrieved from http://www.pwc.com/us/en/forensicservices/publications/assets/2016-pwc-patent-litigation-study.pdf Brachmann, S. (2016, January 8). 2015 litigation trends highlight increased patent litigation, decreases in file sharing cases. IPWatchdog. Retrieved from http://www.ipwatchdog.com/2016/01/08/2015-patent-litigation-trends/id=64774/ Collins, J. (2016, June 6). Zillow to pay realtor.com $130 million over trade secrets. The Orange County Register. Retrieved from http://www.ocregister.com/articles/zillow-718419-realestate.html Cushing, T. (2015, December 2). Patent Troll Sues Everyone For Infringing On EncryptionRelated Patent By Encrypting Their Websites. Techdirt. Retrieved from https://www.techdirt.com/blog/?company=cryptopeak+solutions Genesco, Inc. v. Visa U.S.A., Inc. (US District Court for the Middle District of Tennessee, Nashville Division 2013) Jarosz, J,. Mulher, C., McLean, J., & Vigil, R. (2018, September 26). Patent Damages in US Courts: Overview of Current State of Play. Analysis Group-USA. Retrieved from https://www.iam-media.com/patent-damages-us-courts-overview-current-state-play Kerr, O. (2016, October 28). The Fourth Amendment and Email Preservation Letters. The Washington Post. Retreived from https://www.washingtonpost.com/news/volokhconspiracy/wp/2016/10/28/the-fourth-amendment-and-email-preservationletters/?noredirect=on Kitten, T. (2013, June 25). Patent lawsuits target eight banks: Litigation takes aim at core banking systems, functions. Bank Info Security. Retrieved from http://www.bankinfosecurity.com/patent-trolling-targeting-banks-a-5858/op-1 Kim, J. (2017, June). Fourth Amendment. Legal Information Institute. Cornell Law School. Retreived from https://www.law.cornell.edu/wex/fourth_amendment Kumar, M. (2015, December 1). Patent troll – 66 big companies sued for using HTTPS encryption. The Hacker News. Retrieved from http://thehackernews.com/2015/12/patenttroll-https-encryption.html 156

Legal compliance: Diversified forensics complies with all relevant state laws pertaining to evidence collection. (n.d.). Retrieved on October 20, 2016 from http://www.diversifiedforensics.com/legal-compliance/ Lewis, D. (2016, February 24). What the All Writs Act of 1789 has to do with the iPhone. Retrieved from http://www.smithsonianmag.com/smart-news/what-all-writs-act-1789has-do-iphone-180958188/?no-ist J, Hennessy, C, Howell., M. Overly., J, Rathburn, S, Millendorf., A, Tantleff., S, Goldstick & T. Chisena. (2019, July 1). State Data Breach Notification Laws. Insights. Retreived from https://www.foley.com/en/insights/publications/2019/01/state-data-breach-notificationlaws. London, R. (2008, February 27). Some state data encryption requirements more effective than others. [Web log post]. Retrieved from http://www.privsecblog.com/2008/02/articles/policy-regulatory-positioning/some-statedata-encryption-requirements-more-effective-than-others/ McShane, J. (2016, June 6). The Cost of ITAR Violations Just Went Up. [Blog]. Export Solutions, Inc. Retreived from https://www.exportsolutionsinc.com/resources/blog/thecost-of-itar-violations-just-went-up/ Move v. Zillow, No. 14-2-07669-0 (Washington Superior Court 2014) National Conference of State Legislatures. (2016, January 4). Security breach notification laws. Retrieved from http://www.ncsl.org/research/telecommunications-and-informationtechnology/security-breach-notification-laws.aspx Price, M. (2016, October 4). United States v. Ganias and the Case for Selective Seizures of Digital Evidence. Brennan Center for Justice [blog]. Retreived from https://www.brennancenter.org/blog/united-states-v-ganias-and-case-selective-seizuresdigital-evidence Prudential Insurance Company of America Sales Practice Litigation. Marvin Lowe and Alice Lowe, appellants (US Court of Appeals, Third Circuit 2001) United States v. Doe, No. 86-1753 (US Fifth Circuit Court 1988) US Department of Commerce, Bureau of Industry and Security (BIS). (2016, November 4). License exceptions: Supplement no. 1 to part 740. Retrieved from http://www.bis.doc.gov/index.php/forms-documents/doc_view/452-supplement-no-1-topart-740-country-groups US Munitions List. 22 CFR pt. 121.1 (2013). Retrieved from https://www.law.cornell.edu/cfr/text/22/121.1

157

Self-Study Questions The following exercises will help you hone you work within the guidelines of encryption and digital forensics law. 1. Research each applicable data encryption law your organization must comply and use the results to create an inventory. 2. Create a schema of data breach safe harbor requirements for each state data breach law your organization must comply. 3. Create a personal use encryption policy to provide guidance for employees working overseas. 4. Perform a simulation of how your organization would respond to an “F Letter.” Revise noted discovery request and hold practice deficiencies. 5. Trace the providence of encryption technology used within your organization to determine if appropriate licenses are in place and determine if any infringe on existing patents. 6. Review your organization’s digital forensics policy in comparison to the stated requirements and practices presented within this chapter. 7. Create an anti-spoliation policy to ensure data is not willfully or unintentionally destroyed. 8. Determine if your organization has protocols in place to ensure attorney client privilege for security assessment reports. Work with your legal department or outside legal counsel to refine of implement appropriate protocols. 9. For each state where your organization could conduct a forensic investigation, identify the investigator licensing requirements. 10. Identify countries where your organization operates where Executive Agreements are negotiated under the CLOUD Act.

158

Chapter 5 Acts, Standards & Regulations Now that we have discussed the laws that cybersecurity programs should comply with, I want to turn your attention toward acts, standards and regulations applicable to various industries. The difference between these statutes may seem minor, but they’re nonetheless important. Acts are formal written enactments passed by a legislative body that ultimately becomes law. A regulation is a specific rule prescribed to regulate conduct, whereas a standard is a document created through consensus and approved by a recognized standards body. Regulations and acts are enforceable by law and standards are self-enforcing by a standards body. You will have undoubtedly noticed that some acts, regulations and standards were discussed in previous chapters when applicable to the subject matter. This chapter will walk you through other statutes you may encounter whether you’re a private or public company. The subtle differences in the classification of these statutes and the fact that many organizations may have to comply with more than one suggests that introducing you to these statutes in alphabetic order is most appropriate.

This chapter will help you to: • • •

Understand the differences between acts, standards and regulations. Determine if your manufacturing processes are covered by cybersecurity statutes. Understand which industry-specific statutes apply to your organization.

159

5.1 Basel III Accord Basel III or the Third Basel Accord or Basel Standards is a global, voluntary regulatory framework on bank capital adequacy, stress testing, and market liquidity risk. The accord extends to 27 jurisdictions including Australia, Brazil, Canada, China, France, Germany and India. Banks must hold a minimum capital of seven percent of common equity of risk-weighted assets and potentially more based on their risk profile. The accord was created in response to regulatory shortcomings identified during disruptions to financial markets and times of global financial crisis. The Committee has no supranational authority, its decisions carry no legal force, and it cannot impose fines or sanctions. Rather, once the Committee agrees on a standard, its member jurisdictions are responsible for converting this standard into law or regulation. Since the first Basel accord concerns regarding the convergence of operational and cyber risk were raised. Members of the Basel Committee on Banking Supervision agreed to promote cyber risk management for financial institutions as a measure to determine bank capital requirements (Ingves, 2018). Relating to operations risk, Basel is concerned with the risk areas outlined in Table 5-1. Table 5.1. Basel Accord Risk Areas Business Lines Internal Fraud

Category Unauthorized Activity

External Fraud

Theft & Fraud

• •

Activity Example Transactions not reported (intentional) Trans type unauthorized (with monetary loss) Theft or robbery Forgery

Systems Security

• •

Hacking damage Theft of information (with monetary loss)

Clients, Products & Business Practices

Suitability, Disclosure & Fiduciary

• • •

Retail customer disclosure violations Breach of privacy Misuse of confidential information

Damage to Physical Assets

Disasters & Other Events

• •

Natural disasters Human losses from external sources (terrorism, vandalism) Hardware Software Telecommunications Utility or other disruptions

Business Disruption Systems & System Failures

• •

• • • •

160

Business Lines Execution, Delivery & Process Management

Execution, Delivery & Process Management

Category Transaction Capture, Execution & Maintenance Customer Intake & Documentation Customer / Client Account Management

Activity Example • Data entry, maintenance or loading error • Model / system misoperation • Accounting error / entity attribution error • • • • •

Client permissions / disclaimers missing Legal documents missing / incomplete Unapproved access given to accounts Incorrect client records (loss incurred) Negligent loss or damage of client assets

Basel requires financial institutions to assess their technical risk, establish controls, test controls, and perform regular audits. Most organizations use International Organization for Standardization (ISO) standards to achieve compliance with the Basel Accord, as both apply internationally. The National Institute of Standards and Technology (NIST) Special Publications (SP) can also be used to achieve compliance. Penalties for noncompliance are levied by banks’ respective supervisory authorities that accept Basel as the minimum standard of operational risk for their member institutions.

5.2 Chemical Facility Anti-Terrorism Standards (CFATS) Act Authorized by Congress in 2007 6 CFR Part 27 – Chemical Facility Anti-Terrorism Standards, the Act incorporates a multi-tiered risk assessment process to identify high-risk chemical facilities. Facilities that are classified as high-risk are required to meet and maintain performance-based security standards appropriate to their unique security challenges and tier level identified within the Act. On December 18, 2014, the Protecting and Securing Chemical Facilities from Terrorist Attacks Act of 2014 (“CFATS Act of 2014”), was signed into law. The Act recodifies and reauthorized the CFATS program for four years. On January 18, 2019 the act was extended through 2020. The Cybersecurity and Infrastructure Security Agency (CISA) has the authority to issue an enforcement action to any chemical facility found to be in violation of CFATS. The CFATS Penalty Policy addresses the following specific categories of violations: • Failure to File Violations. • Submission of False Information. • Security Vulnerability Assessment (SVA)/Site Security Plan Deficiencies (SSP). • SVA/SSP Infractions. • Chemical-terrorism Vulnerability Information (CVI) Violations. SSP Deficiencies and Infractions are considered on a case-by-case basis using an established set of criteria to ensure consistent application of civil penalties. Table 5-2 outlines the CFATS fines.

161

Table 5-2. CFATS Fines Infraction Level Minor

Moderate Major

Description

Fine

A deficiency or infraction in which an RBPS riskbased performance standard) is not fully addressed and the lack thereof is reasonably expected not to pose an immediate impact on the security of the COI (chemical of interest). A deficiency or infraction in which an RBPS is only partially addressed and poses an immediate and significant impact on the security of the COI. A deficiency or infraction in which an RBPS is significantly or wholly unaddressed and poses an immediate and critical impact on the security of the COI.

$1,000 to $2,000 a Day

$3,000 to $6,000 a Day $5,000 to $10,000 a Day

To see the entire penalty policy go to https://www.dhs.gov/sites/default/files/publications/fscfats-penalty-policy-508.pdf. The Cybersecurity and Infrastructure Security Agency (CISA) manages the CFATS program by working with facilities to ensure they have security measures in place to reduce the risks associated with certain hazardous chemicals and prevent them from being exploited in a terrorist attack. Table 5-3 presents the Risk-Based Performance Standards (RBPS) 8 – Cyber: Table 5-3. Risk-Based Performance Standards (RBPS) 8 – Cyber Critical Cyber System Critical Business Systems

Security Measures Develop, maintain, and implement documented and distributed cybersecurity policies and procedures including change management policies, as applicable, to their critical cyber assets. • Maintain account access control to critical cyber systems utilizing the least privilege concept, maintain access control lists, and ensure that accounts with access to critical/sensitive information or processes are modified, deleted, or deactivated when personnel leave and/or when users no longer require access. • Implement password management protocols to enforce password structures, ensure all default passwords have been changed (where possible), and implement physical controls for cyber systems where changing default passwords is not technically feasible. • Ensure that physical access to critical cyber assets and media is restricted to authorized users and affected individuals. •

162

Critical Cyber System

Security Measures •

•

Critical Physical Security Systems

•

Critical Control Systems

•

• •

• •

•

•

• •

Report significant cyber incidents to senior management and DHS Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). Provide cybersecurity training for employees and contractors, as appropriate, who work with cyber assets. Define allowable remote access and rules of behavior for issues related to remote access (e.g., Internet, virtual private networks (VPN), gateways, routers, firewalls, wireless access points, modems, vendor maintenance connections, Internet Protocol (IP), and address ranges). Conduct recurring audits that measure compliance with the cybersecurity policies, plans, and procedures and report results to senior management. Document the business need and network/system architecture for all critical cyber assets. Disable unnecessary system elements upon their identification and identify and evaluate potential vulnerabilities and implement compensatory security controls. Identify and document systems boundaries and implement security controls to limit access across those boundaries. Maintain a defined incident response system for possible cyber incidents (e.g., denial-of-service attack, virus, worm attack, botnet, etc.). Integrate cybersecurity into the system lifecycle for all critical cyber assets from system design through procurement, implementation, operation, and disposal. Monitor the critical networks in real-time for unauthorized or malicious access and alerts and recognize and log events and incidents. Integrate backup power for all critical cyber systems should an emergency or incidents occur. Maintain continuity of operations plans (COOPs), IT contingency plans, and/or disaster recovery plans.

5.3 Defense Federal Acquisition Regulations Supplement (DFARS) The DFARS, Defense Federal Acquisition Regulations Supplement, is a supplement to the Federal Acquisition Regulation (FAR) that provides the Department of Defense (DoD) specific acquisition regulations. The office of the Under Secretary of Defense for Acquisition Technology and Logistics maintains the Defense Procurement and Acquisition Policy. All DoD contractors that process, store or transmit Controlled Unclassified Information (CUI) must meet 163

DFARS minimum security standards or risk losing their DoD contracts. DFARS provides a set of adequate security controls to safeguard information systems where contractor data resides. These controls are defined in NIST Special Publication 800-171 Protecting Controlled Unclassified Information in Non-Federal Information Systems and Organizations. Manufacturers must implement these security controls through all levels of their supply chain. 5.3.1 Minimum Requirements for DFARS While data security is an increasingly complex field, the DoD has kept the requirements on contractors straightforward and reasonable. To meet the minimum requirements, DoD contractors must: • Provide adequate security to safeguard covered defense information that resides in or transits through your internal unclassified information systems from unauthorized access and disclosure. • Rapidly report cyber incidents and cooperate with the DoD to respond to these security incidents, including providing access to affected media and submitting malicious software. If you’re covered under DFARS, make sure you don’t mis-interpret the term “adequate security.” The term adequate security can mean many things to many people. DFARS details fourteen groups of security requirements that must be applied to many aspects of your information technology. To be considered DFARS compliant, non-federal and contractor information systems/organizations must pass a readiness assessment following NIST SP 800-171 guidelines. The summary of guidelines includes: 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14.

Access Control Awareness and Training Audit and Accountability Configuration Management Identification and Authentication Incident Response Maintenance Media Protection Personnel Security Physical Protection Risk Assessment Security Assessment System and Communications Protection System and Information Integrity

To learn more about complying with DFARS, check out the NIST Handbook 162 - NIST MEP Cybersecurity Self-Assessment Handbook For Assessing NIST SP 800-171 Security Requirements in Response to DFARS Cybersecurity Requirements located at https://nvlpubs.nist.gov/nistpubs/hb/2017/NIST.HB.162.pdf.

164

5.3.2 Termination of Contracts and Penalties for Non-Compliance DoD Contractors that are audited by the Department of Defense and are found to not follow DFARS NIST SP 800-171 are likely to face a stop-work order. This means that their work on behalf of DoD will be suspended until they implement suitable security measures to protect CUI (Controlled Unclassified Information). In addition, the Department of Defense may impose financial penalties, including seeking damages for breach of contract and false claims. In the worst-case scenario, DoD contractors could find that their contracts with the Department of Defense terminated. They could even face suspension or debarment from working with the Department of Defense again. For more information on the penalties for non-compliance, see section 252.204-7014 of DFARS here.

5.4 Directive on Security of Network and Information Systems NIS Directive On July 6, 2016, the European Parliament set into policy the Directive on Security of Network and Information Systems, commonly referred to as the NIS Directive (EUR-Lex, 2016). The directive went into effect in August 2016, and all member states of the European Union were given 21 months to incorporate the directive’s regulations into their own national laws. The aim of the NIS Directive is to create an overall higher level of cybersecurity in the EU. Figure 5-1 shows the three main components of the Directive.

Figure 5-1. NIS Directive Components

165

The directive significantly affects digital service providers (DSPs) and operators of essential services (OESs). DSPs companies that provide online service for a fee include companies like Amazon, eBay and cloud service providers. OESs include companies that provide some form of service that is essential to societal or economic activities such as utilities or banks. The NIS Directive is concerned with security breaches that disrupt DSPs and OESs. Both DSPs and OESs are now held accountable for reporting major security incidents to their respective country Computer Security Incident Response Teams (CSIRT). There are varying levels of accountability between DSPs and OESs. You should review the regulation accountability between the two entities. If you are a DSP operating in the EU, you still face regulations regardless of your location. Even if DSPs and OESs outsource the maintenance of their information systems to third parties, the NIS Directive still holds them accountable for any security incidents. The member states of the EU are required to create a NIS directive strategy, which includes the CSIRTs, in addition to National Competent Authorities (NCAs) and Single Points of Contact (SPOCs). Such resources are given the responsibility of handling cybersecurity breaches in a way that minimizes impact. In addition, all member states of the EU are encouraged to share cyber security information. Security requirements include technical measures that manage the risks of cybersecurity breaches in a preventative manner. Both DSPs and OESs must provide information that allows for an in-depth assessment of their information systems and security policies. All significant incidents must be notified to the CSIRTs. Significant cybersecurity incidents are determined by the number of users affected by the security breach as well as the longevity of the incident and the geographical reach of the incident.

5.5 European Union Cybersecurity Act In December 2018, the European Parliament, the Council and the European Commission have reached a political agreement on the Cybersecurity Act which reinforces the mandate of the EU Agency for Cybersecurity, (European Union Agency for Network and Information and Security, ENISA) so as to better support Member States tackling cybersecurity threats and attacks. The Act also establishes an EU framework for cybersecurity certification, boosting the cybersecurity of online services and consumer devices. Proposed in 2017 as part of a wide-ranging set of measures to deal with cyber-attacks and to build strong cybersecurity in the EU, the Cybersecurity Act includes: •

•

A permanent mandate for the EU Cybersecurity Agency, ENISA, to replace its limited mandate that would have expired in 2020, as well as more resources allocated to the agency to enable it to fulfil its goals. A stronger basis for ENISA in the new cybersecurity certification framework to assist Member States in effectively responding to cyber-attacks with a greater role in cooperation and coordination at Union level.

The Cybersecurity Act (“Act”), was adopted April 17, 2019 and became effective June 27, 2019, with some provisions effective June 28, 2021. U.S. companies are about to be surprised about how the Act could impact them and hinder their ability to compete in the EU market. 166

In addition, ENISA will help increase cybersecurity capabilities at EU level and support capacity building and preparedness. Finally, ENISA will be an independent center of expertise that will help promote high levels of awareness of citizens and businesses but also assist EU Institutions and Member States in policy development and implementation. The Cybersecurity Act also creates a framework for European Cybersecurity Certificates for products, processes and services that will be valid throughout the EU. This is a groundbreaking development as it is the first internal market law that takes up the challenge of enhancing the security of connected products, Internet of Things devices as well as critical infrastructure through such certificates. The creation of such a cybersecurity certification framework incorporates security features in the early stages of their technical design and development (security by design). It also enables their users to ascertain the level of security assurance and ensures that these security features are independently verified. If your organization offers online services or consumer products within the EU, you should begin the following activities: • • • • • • •

Monitoring ENISA and EU websites for updates on EU cybersecurity certification schemes. Apply for membership in the Scientific Committee on Consumer Safety (SCCS). Determine if ENISA requirements run counter to U.S. standards. Determine if certification is required to compete in the EU markets. Analyze risks associated with non-compliance with certification schemes. Understand the requirements for providing supplemental information or notifications regarding discovered vulnerabilities or “bugs.” Identify internal information that is commercially sensitive and requires protection from disclosure.

5.6 Family Educational Rights and Privacy Act (FERPA) The Family Educational Rights and Privacy Act of 1974 (FERPA) commonly referred to as the Buckley Amendment is a United States federal law that protects the privacy of student education records. FERPA applies to any school or program that receives funding from the US Department of Education. An educational institution that fails to comply with FERPA may lose its federal funding. Individual incidents involving the disclosure of private information may lead to a lawsuit or allow for monetary compensation for the damages. FERPA gives parents access to their child’s education records, an opportunity to seek the records amended, and some control over the disclosure of information from the records. All schools, either K-12 or higher education, public or private, that receives funds under any program from the U.S. Department of Education. While FERPA does not require institutions to adopt specific security controls, it does require the use of “reasonable methods” to safeguard student records (34 CFR § 99.31):

167

•

(ii) An educational agency or institution must use reasonable methods to ensure that school officials obtain access to only those education records in which they have legitimate educational interests. An educational agency or institution that does not use physical or technological access controls must ensure that its administrative policy for controlling access to education records is effective and that it remains in compliance with the legitimate educational interest requirement in paragraph (a)(1)(i)(A) of this section (U.S. CRF, 2019).

Despite this requirement, many educational data breaches happen annually. Not only does the disclosure of student records violate FERPA, but disclosures can expose students to a host of negative consequences such as identity theft, fraud, and extortion. TIP: To acquire an FSA Cybersecurity Compliance checklist, go to the FSA Cyber Security page located at https://ifap.ed.gov/eannouncements/Cyber.html.

5.7 Federal Financial Institutions Examination Council (FFIEC) Federal Financial Institutions Examination Council (FFIEC) has long audited financial institutions on their risk, disaster recovery and business continuity controls. FFIEC examiners use the Information Technology Examination Handbook (IT Handbook) as a guide to assess the level of security risks to a financial institution’s information systems. The last update to the IT Handbook was September 9, 2016 (OCC, 2016). FFIEC evaluates adequacy of the information security program’s integration into overall risk management. The FFIEC requires financial institutions to: • Maintain effective information security programs commensurate with their operational complexities. • Ensure strong board and senior management support. • Promote integration of security activities and controls throughout the institution’s business processes. • Establish clear accountability for carrying out security responsibilities. In 2014, the FFIEC released the Cybersecurity Assessment Tool, which provides a substantial amount of information on cybersecurity controls to meet financial regulations. The FFIEC continually updates the tool, with the latest update occurring in May of 2017. The tool is located at: https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_May_2017.pdf.

5.8 Federal Information Security Management Act (FISMA) The Federal Information Security Management Act (FISMA) of 2002 provides consistent security practices across the U.S. government. FISMA accomplishes this goal by standardizing the process for risk management and information security practices for all federal agencies and the contractors that do business with the government. 168

FISMA 2014 updated the cybersecurity practices defined in FISMA 2002 by codifying the Department of Homeland Security (DHS) authority to administer the implementation of information security policies for non-national-security federal Executive Branch systems. FISMA 2004 also amended and clarified the Office of Management and Budget’s (OMB) oversight authority over federal agency information security practices by requiring OMB to amend or revise OMB A-130 to “eliminate inefficient and wasteful reporting” (S.2521, 2014). Important FISMA features: • Periodic risk assessments. • Policies and procedures based on assessments. • Quantitative risk rating – data-driven security model. • Subordinate plans for information security for networks, facilities, and other sub-systems. • Security awareness training for personnel. • Periodic testing and evaluation of the effectiveness of information security policies, procedures, practices, and controls at least annually. • A process to address deficiencies in information security policies (plan of action and milestones – POAM). • Procedures for detecting, reporting, and responding to security incidents. • Procedures and plans to ensure continuity of operations for information systems that support the organization’s operations and assets.

5.9 Financial Industry Regulatory Authority (FINRA) Rules FINRA is authorized by the US Congress to protect investors from fraud and other forms of financial loss including data breaches. FINRA oversees 634,000 broker-dealers to provide this level of protection. With the increasing frequency and mounting sophistication of cybersecurity attacks, FINRA believe these pose the potential for harm to investors, firms, and the markets. To address this threat, FINRA has published cybersecurity practices for member firms. FINRA evaluates firms’ approaches to cybersecurity risk management through reviews of their controls in areas including technology governance, risk assessment, technical controls, access management, incident response, vendor management, data loss prevention, system change management, branch controls and staff training. Through these reviews, FINRA also assesses a firm’s ability to protect the confidentiality, integrity, and availability of sensitive customer information. FINRA Rules Related to Cybersecurity • • • •

3110. Supervision. 3120. Supervisory Control System. 4530(b). Reporting Requirements. Supplementary Material 4530.01. Reporting of Firms' Conclusions of Violations. 169

SEC Rules Related to Cybersecurity • • •

248.201-202. Regulation S-ID: Identity Theft Red Flags. 248.1-100. Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Personal Information. 240.17a-4(f). The Securities Exchange Act of 1933 (17 CFR §240.17a-4(f)).

5.10 Food and Drug Administration Code of Federal Regulations Title 21 Part 11 One of the most important government standards is Title 21 – Food and Drugs – Part 11 Electronic Records; Electronic Signatures. Title 21 CFR Part 11 is the part of Title 21 of the Code of Federal Regulations that establishes the United States Food and Drug Administration (FDA) regulations on electronic records and electronic signatures (ERES). Part 11, as it is commonly called, defines the criteria under which electronic records and electronic signatures are considered trustworthy, reliable, and equivalent to paper records (U.S. Food & Drug Administration, 2019). 21 CFR Part 11 is a section in the Code of Federal Regulations (CFR) that sets forth the United States Food and Drug Administration’s (FDA) guidelines on using electronic records and electronic signatures. Each title of the CFR addresses a different regulated area. 21 CFR relates to Pharmaceuticals and Medical Devices and Part 11 being applicable to electronic records and electronic signatures. At a high level, Part 11 is a law that ensures that companies and organizations implement good business practices by defining the criteria under which electronic records and signatures are considered to be accurate, authentic, trustworthy, reliable, confidential, and equivalent to paper records and handwritten signatures on paper. Part 11 essentially allows any paper records to be replaced by an electronic record and allows any handwritten signature to be replaced by an electronic one. Electronic Record: Any combination of text, graphics, data, audio, or pictorial information represented in digital form that is created, modified, maintained, archived, retrieved or distributed by a computer. Electronic Signature: A compilation of any symbol(s) executed to be the legally binding equivalent of an individual’s handwritten signature. Handwritten Signature: The scripted name or legal mark of an individual handwritten by that individual and executed or adopted with the present intention to authenticate a writing in a permanent form. Digital Signature: An electronic signature based upon cryptographic methods of originator authentication, computed by using a set of rules and a set of parameters such that the identity of the signer and the integrity of the data can be verified.

170

5.10.1 ALCOA Model Pharmaceutical products must undergo a security process prior to public release. The process ensures that pharmaceutical products are safe for public use. Many health regulating entities ensure that pharmaceutical companies do not cut corners in pursuit of profits. To support these entities, the FDA created a model called ALCOA. To ensure that pharmaceutical companies do not cut corners in pursuit of profits, the FDA created a model called ALCOA. ALCOA stands for Attributable, Legible, Contemporaneous, Original and Accurate. ALCOA is adopted throughout Canada and Europe. ALCOA defines how a pharmaceutical company is required to document evidence the good manufacturing processes whether in paper or digital. Over the years, ALCOA evolved into ALCOA+ where Complete, Consistent, Enduring, and Available were added. The following describe each component of the ALCOA model: o Attributable – Evidence data must be attributable to the person collecting the data. o Legible – Records of evidence must be legible and accurate in every way, including spelling. o Contemporaneous – Records should be made at the time of the event or measurements including date and time stamps. o Original – Data should be original in the medium first recorded. o Accurate – Recorded data should be accurate and free from errors and biases. o Complete – All data used in recording of data is comprehensive. o Consistent – All records of data regardless of elapsed time are recorded in the same manner. o Enduring – Data is stored and protected on a medium that will endure for years. o Available – Data is available and not subject to loss, destruction or otherwise unavailable. ALCOA has also been mapped to the following secure manufacturing processes: o FDA 21 CFR Part 11 – Controls on the use of electronic records and electronic signatures by defining them in 21 CFR Part 11 – Electronic Record and Electronic Signature. o EU Annex 11 – EUDRALEX Rules Governing Medicinal Products in the European Union, Volume 4, Good Manufacturing Practice, Medicinal Products for Human and Veterinary Use. o GxP Readiness Checklist – An acronym that stands for good practice quality guidelines and regulations in manufacturing. The “X” can stand for pharmaceutical or food industries. GxP defines a readiness checklist for cybersecurity and resiliency of the manufacturing process. Figure 5-2 presents the interaction of secure manufacturing processes to the ALCOA model.

171

Figure5-2. ALCOA Model

5.11 Health Information Technology for Economic and Clinical Health Act (HITECH) The Health Information Technology for Economic and Clinical Health Act (HITECH) was created in 2009 to promote the adoption and meaningful use of health information technology. The law significantly modifies HIPAA by adding new requirements concerning privacy and security for patient health information. It also expands the scope of privacy and security protections available under HIPAA, increases the potential legal liability for noncompliance, and provides for more enforcement (HHS.gov, 2019). Important HITECH features: • Expansion of HIPAA security standards to business associates that perform activities involving the use or disclosure of individually identifiable health information. • Increased civil penalties for willful neglect. • Data-breach notification requirements for unauthorized uses and disclosures of unsecured PHI (protected health information). • Stronger individual rights to access electronic medical records and restrict the disclosure of certain information. • New limitations on the sale of protected health information, as well as marketing and fundraising communications. 172

5.12 Health Insurance Portability and Accountability Act (HIPAA) The Health Insurance Portability and Accountability Act (HIPAA) improves the efficiency and effectiveness of the U.S. healthcare system by requiring the adoption of national standards for electronic healthcare transactions and code sets, as well as unique health identifiers for providers, health insurance plans, and employers. The law includes Administrative Simplification provisions that require the U.S. Department of Health and Human Services (HHS) to adopt national standards for electronic healthcare transactions and code sets, unique health identifiers, and security (HHS.gov, 2019). Important HIPAA features: •

Electronic Transaction and Code Sets Standards: Requires the same healthcare transactions, code sets, and identifiers.

•

Privacy Rule: Provides federal protections for personal health information held by covered entities and gives patients an array of rights with respect to that information.

•

Security Rule: Specifies administrative, physical, and technical safeguards for covered entities to use to assure the confidentiality, integrity, and availability of electronic protected health information.

•

National Identifier Requirements: Requires that healthcare providers, health plans, and employers have standard national numbers that identify them on standard transactions.

•

Enforcement Rule: Provides standards for enforcing all the Administration Simplification rules.

5.13 Joint Commission on the

Did You Know?

Accreditation of Healthcare

In 2019, In a turn of irony, the JCAHO failed its own inspection with 427 major and 319 minor findings. The new CEO wanted to lead by example and scheduled an audit with only 30 minutes notice to audit their headquarters location. Do you have difficulty finding top cybersecurity talent? Source: https://www.medpagetoday.com/blogs /gomer/82239

Organizations (JCAHO) The Joint Commission on the accreditation of Healthcare Organizations (JCAHO) evaluates and accredits more than 21,000 health care organizations and programs within the US. Since 1951, JCAHO has been an independent, not-for-profit organization and standards-setting and accrediting body. Every healthcare organization/hospital accepting payment for US Medicare and Medicaid patients is required to meet certain Federal standards called “Conditions of Participation” (CoPs).

These Federal requirements are promulgated by the Centers for Medicare and Medicaid to improve quality and protect the health and safety of patients. Compliance is based on JCAHO random or unannounced surveys conducted by state healthcare licensure agencies. Healthcare Security is an important element of CoPs. JCAHO requires healthcare organizations 173

to maintain information privacy and confidentiality, data integrity, and systems continuity. Figure 6-3 presents the JCAHO model of security.

Figure 5-3. JCAHO Model of Security

Each component of the model includes elements of performance (EP), which provide guidance of how each standard should be implemented. Table 5-4 presents the EP for each standard. Table 5-4. Elements of Performance. Standard Elements of Performance IM 2.10 1. Developed written processes based on and consistent with applicable laws addressing privacy and confidentiality. Information 2. Policies have been effectively communicated to staff. Privacy & Confidentiality are 3. Effective processes for enforcing policy. 4. Monitor compliance with the policy. Maintained 5. Use monitoring results for improving privacy and confidentiality. 6. Patients are aware of uses and disclosures that may or will be made. 7. Removal of identifiers encouraged. 8. PHI is used for purposes identified to patients or as required by law and not further disclosed without patient authorization. 9. Hospital preserves confidentiality of information and requires extraordinary means to preserve patient privacy.

174

Standard IM 2.20 Information Security, Including Data Integrity, is Maintained

1.

2. 3. 4. 5. 6.

7.

IM 2.30 – Continuity of Information is Maintained

Elements of Performance Developed written process based on and consistent with applicable law that addresses information security, including data integrity Effective communication of policy, and any changes, to applicable staff. Effective process for enforcing the policy. Monitors compliance with policy. Monitoring results and technology developments used to improve information security, including data integrity. Develops and implements controls to safeguard data and information, including the clinical record, against loss, destruction, and tampering. Policies and procedures, including plans for implementation and for electronic information systems, address data integrity, authentication, non-repudiation, encryption as warranted, and auditability, as appropriate to the system and types of information, e.g., patient information and billing information.

1. Business continuity/disaster recovery plan. 2. Periodic testing to ensure business interruption backup techniques are effective. 3. Electronic systems business continuity/disaster recovery plan addresses the following. 4. Plans for scheduled/unscheduled interruptions, including end user training. 5. Contingency procedures. 6. Plans for minimal interruptions during scheduled downtime. 7. Emergency service plan. 8. Backup system. 9. Data retrieval including from storage and information presently in active systems.

JCAHO evaluates conformity with standards using a four-level rating scale using quantifiable measures to determine if an EP is effective: • • • •

0 = Insufficient compliance. 1 = Partial compliance. 2 = Satisfactory compliance. NA = Not applicable.

175

5.14 North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) v6 plan is a set of requirements designed to secure the assets required for operating North America’s bulk electric system operators located in the United States, Canada and Northern Mexico. The NERC CIP has 12 standards and supporting requirements which apply to the security of electronic perimeters and the protection of critical cyber assets as well as personnel and training, security management, and disaster recovery planning. Figure 5-4 present each of the standards of NERC-CIP:

Figure 5-4. NERC CIP Standards

The CIP program coordinates all of NERC’s efforts to improve the North American power system’s security. These efforts include standards development, compliance enforcement, assessments of risk and preparedness, dissemination of critical information, and increased awareness regarding key security issues. NERC’s standards for governing critical infrastructure apply to entities that materially impact the reliability of the bulk power system. These entities include owners, operators, and users of any portion of the system. 176

Under NERC CIP, covered entities are required to identify critical assets and to regularly perform a risk analysis of those assets. Policies for monitoring and changing the configuration of critical assets need to be defined, as do policies governing access to those assets. In addition, NERC CIP requires the use of firewalls to block vulnerable ports and the implementation of cyberattack monitoring tools. Organizations are also required to enforce IT controls protecting access to critical cyber assets. Systems for monitoring security events must be deployed, and organizations must have comprehensive contingency plans for cyberattacks, natural disasters, and other unplanned events. Penalties for noncompliance with NERC CIP can include fines, sanctions, or other actions against covered entities. Because NERC is a transnational organization, the exact penalties vary from country to country. Fines for noncompliance can reach up to $1 million per day, which is reason enough for most industrial control system organizations to pour substantial time and resources into staying compliant. NERC’s compliance Violation Severity Levels (VSLs) range from low to severe and delineate the level to which a noncompliant entity missed their mark in the eyes of their auditor (NERC, 2019).

5.15 Payment Card Industry – Data Security Standard (PCIDSS) To combat emerging credit theft and fraud, five credit card issuers consisting of American Express, Discover, JCB (Japan Credit Bureau) Master Card, and Visa collaborated on a uniform IT security standard. The Payment Card Industry Data Security Standard (PCI DSS) was launched in December 2004 with version 1.0. Over time, the standard has gone through several revisions bringing it to version 3.2 today. The goal of PCI DSS is to require enhancements to cardholder data security and facilitate the broad adoption of specific and consistent data security measures globally. PCI DSS provides a baseline of technical and operational requirements designed to protect account data. PCI DSS applies to all entities involved in payment card processing including merchants, processors, acquirers, issuers, and service providers. PCI DSS also applies to all other entities that store, process, or transmit cardholder data (CHD) and/or sensitive authentication data (SAD). Table 5-5 shows the six objections and 12 requirements of PCI DSS. Table 5-5. PCI DSS Security Requirements Objectives 1) Build and Maintain a Secure Network and Systems 2) Protect Cardholder data

1. 2. 3. 4.

Requirements Install and maintain a firewall configuration to protect cardholder data. Do not use vendor-supplied defaults for system passwords and other security parameters. Protect stored cardholder data. Encrypt transmission of cardholder data across open, public networks.

177

Objectives 3) Maintain a Vulnerability Management Program

4) Implement Strong Access Control Measures

5) Regularly Monitor and Test Networks 6) Maintain an Information Security Policy

Requirements 5. Protect all systems against malware and regularly update anti-virus software or programs. 6. Develop and maintain secure systems and processes. 7. Restrict access to cardholder data by business need to know. 8. Identity and authenticate access to system components. 9. Restrict physical access to cardholder data. 10. Track and monitor all access to network resources and cardholder data. 11. Regularly test security systems and processes. 12. Maintain a policy that addresses information security for all personnel.

PCI DSS fines can be substantial up to and including suspension of the right to process branded credit cards through the respective credit card company. With the length of time PCI DSS has been around and enforced, you would think that every company requiring compliance would comply. However, you would be wrong. A Verizon 2018 Payment Security Report showed that in 2016, 52.5% of organizations reviewed remained PCI DSS complaint (Version, 2018)

5.16 Sarbanes Oxley Act (SOX) The Sarbanes-Oxley Act (known as SOX) went into effect in 2002 to protect shareholders and the general public from accounting errors and fraudulent practices of organizations. It was also tailored to improve the accuracy of corporate disclosures. SOX was drafted to improve corporate governance and accountability following several financial scandals that occurred at Enron, WorldCom, and Tyco as shown below. Fifteen years later, SOX is as relevant as ever. It applies to all publicly-held American as well as international organizations that have registered equity or debt services with the U.S. Securities and Exchange Commission (SEC), as well as accounting firms or third parties that provide financial services to these organizations. The SOX compliance landscape has shifted lately to also include cybersecurity. Currently, there are two SOX sections that relate specifically to cybersecurity. • The first is Section 302 which requires companies to have systems in place that protect against data tampering – both internally by unauthorized personnel as well as externally by malware or hackers. • The second is Section 404 which requires that the organization’s security system can protect the handling of data which should be verified independently. All data must be made available to auditors, including financial records as well as any potential security breaches. With the new bill, the current Sections 2, 3, and 10 will be modified to add cybersecurity. 178

In Section 2 – Cybersecurity and information system requirement, the current Section 2(a) of SOX will be amended by changing “financial statements” to “financial statements and information systems.” In the current Section 3 (a) “and financial” will be replaced by “financial, and cybersecurity systems”, and in Section 10(b) “quality control policies and procedures” will be replaced by “quality control policies and procedures, cybersecurity systems standards and practices.” The bill will also add three sections that define the terms information system, cybersecurity system and cybersecurity risk. The latter refers to “a significant vulnerability to, or a significant deficiency in, the security and defense activities of a cybersecurity system.” In short, being SOX compliant (as well as complying with other regulatory standards) requires that security solutions must be in place and the anti-retaliation provisions will protect a wide range of potential cybersecurity whistleblowers. As it stands now, each SOX compliance audit must establish how well an organization is managing its internal controls. Such internal control consists of any type of protocol dealing with the infrastructure that handles the organization’s financial data. 5.16.1 Cybersecurity Flaw Whistleblower Protection With cybersecurity becoming a topic of ever-increasing visibility and importance, information security professionals may ask what protection they have when they raise concerns about inadequate or deficient cybersecurity. The whistleblower protection provision of the SarbanesOxley Act protects certain disclosures about cybersecurity, and other laws provide additional protection. In addition, some disclosures about cybersecurity can qualify for a SEC whistleblower award. The current SEC Chair has announced that cybersecurity is a top enforcement priority for the SEC.

5.17 Standards Complying with cybersecurity statutes requires a baseline of controls or countermeasures that align to the specific concerns’ legislation is designed to address. Standards and statutes go handin-hand. Selecting the right standard to comply with statutes demonstrates that your organization is serious about compliance. You should also select a standard that is widely accepted by the compliance audit community. Standards are generally arrived at through consensus by an authoritative standard setting body. Examples of standards bodies would include the International Organization for Standardization (ISO) or National Institute of Standards and Technology (NIST). Standards can simply contain basic guidance or contain prescriptive instructions, security practices, approaches or even toolsets. Cybersecurity standards have been in existence for over 30 years. Frameworks are often referred to as standards, a subject I cover in-depth in my book Building an Effective Cybersecurity Program (2nd Edition – Rothstein Publishing, 2020). Within this chapter some frameworks are covered due in great part to their general acceptance as serving as a standard. To provide you with a sense of which cybersecurity standards are the most widely followed, I accessed two recent surveys and created a composite adoption graph. Figure 6-5 shows the most widely adopted cybersecurity standards according to a 2018 survey conducted by Tenable Inc. Security Framework Adoption Survey and a 2019 survey conducted by Cyber Security Hub – Cyber Security Mid-Year Snapshot 2019. It is important to note that most organizations use at least two standards in their cybersecurity programs. 179

29.77%

39.97%

34.07% 37.27%

ISO 27001/27002

PCI DSS

NIST CSF

CIS Critical Security Controls

Figure 5-5. Cybersecurity Standards Adoption

Ensuring compliance to standards is no less important than ensuring compliance with legal and regulatory statutes. Standards are used as the basis to conform to the security criteria outlines in many cybersecurity, privacy and resiliency statutes and regulations. PCI DSS has been covered previously as a regulation. What is left to cover are the standards that are widely endorsed by governing bodies and used to demonstrate compliance with legal and regulatory statutes.

5.17.1 International Organization for Standardization (ISO) Security Standards ISO publishes a family of standards covering a range of cybersecurity topics, including how to create a security program, manage risk, and implement an incident response plan. ISO standards are popular with organizations that desire to certify some or most of their programs as well as have international operations. Figure 5-6 presents the most used of the ISO information technology security standards:

180

Figure 5-6. ISO Information Technology Security Standards

The following ISO overviews as well as more in-depth descriptions of each ISO standard are publicly available at the American National Standards Institute (ANSI) Webstore located at https://webstore.ansi.org/. ANSI is responsible for accrediting and distributing ISO standards throughout the US. ANSI is the sole U.S. representative and dues-paying member of the International Organization for Standardization (ISO), and as a founding member of the ISO, ANSI plays an active role in its governance. ISO standards can be purchased individually or in packages. ISO updates standards every five years. •

•

ISO/IEC 27001:2013 | Information Security Management Systems—Requirements (ISMS) This standard specifies the requirements for establishing, implementing, maintaining, and continually improving an information security management system within the context of the organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. The requirements set out in ISO/IEC 27001:2013 are generic and are intended to be applicable to all organizations, regardless of type, size, or nature. o

Making an information security management system operational.

o

Reviewing the system’s performance.

o

Corrective action.

o

Annex A: List of controls and their objectives.

ISO/IEC 27002:2013 | Code of Practice for Information Security Controls This catalog provides guidelines for organizational information security standards and information security management practices, including the selection, implementation, and management of controls, taking into consideration the organization’s information security risk environment(s). It is designed to be used by organizations that intend to select controls within the process of implementing an ISMS based on ISO/IEC 27001, implement commonly accepted information security controls, and develop their own information security management guidelines. 181

•

ISO/IEC 27003:2010 | Information Security Management System Implementation (ISMS) Guidance The guidance in this document focuses on the critical aspects needed for successful design and implementation of an ISMS in accordance with ISO/IEC 27001:2005. It describes the process of ISMS specification and design from inception to the production of implementation plans. It also describes the process of obtaining management approval to implement an ISMS, outlines a project to implement an ISMS (referred to in ISO/IEC 27003:2010 as the ISMS project), and provides guidance on how to plan the ISMS project – resulting in a final ISMS project implementation plan.

•

ISO/IEC 27004:2016 | Information Technology – Security Techniques – Information Security Management – Monitoring, Measurement, Analysis, and Evaluation This document provides guidelines intended to assist organizations in evaluating the information security performance and the effectiveness of ISMS to fulfill the requirements of ISO/IEC 27001:2013, 9.1. It establishes: a) the monitoring and measurement of information security performance; b) the monitoring and measurement of the effectiveness of an ISMS, including its processes and controls; c) the analysis and evaluation of the results of monitoring and measurement. Knowledge of the concepts, models, processes, and terminologies described in ISO/IEC 27001 and ISO/IEC 27002 is important for a complete understanding of this document.

•

ISO/IEC 27014:2013 | Information Technology – Security Techniques – Governance of Information Security This standard provides guidance on concepts and principles for the governance of information security, by which organizations can evaluate, direct, monitor, and communicate the information security-related activities within the organization. The standard is applicable to all types and sizes of organizations.

•

ISO/IEC TR (Technical Report) 27016:2014 | Information Technology – Security Techniques – Information Security Management – Organizational Economics This standard provides guidelines on how an organization can make decisions to protect information and understand the economic consequences of these decisions in the context of competing requirements for resources. The standard is applicable to all types and sizes of organizations. It provides information to the top management to assist them in making information security decisions.

•

ISO/IEC 27017:2015 | Information Technology – Security Techniques – Code of Practice for Information Security Controls based on ISO/IEC 27002 for Cloud Services This standard provides guidelines for information security controls involved in the provision and use of cloud services. This includes: - additional implementation guidance for relevant controls specified in ISO/IEC 27002; - additional controls with implementation guidance that specifically relate to cloud services. 182

This recommendation provides controls and implementation guidance for both cloud service providers and cloud service customers. •

ISO/IEC 27018:2019 | Information Technology – Security Techniques – Code of Practice for Protection of Personally Identifiable Information (PII) in Public Clouds Acting as PII Processors This standard establishes commonly accepted control objectives, controls, and guidelines for implementing measures to protect PII in accordance with the privacy principles in ISO/IEC 29100 for the public cloud computing environment. The standard specifies guidelines based on ISO/IEC 27002, taking into consideration the regulatory requirements for the protection of PII which might be applicable within the context of the information security risk environment(s) of a provider of public cloud services.

•

ISO/IEC 27032:2012 | Information Technology – Security Techniques – Guidelines for Cybersecurity This standard provides guidance for improving the state of cybersecurity, drawing out the unique aspects of that activity and its dependencies on other security domains, in particular information security, network security, internet security, and critical information infrastructure protection. It covers the baseline security practices for stakeholders in the cyberspace. This International Standard provides o o o o

an overview of cybersecurity, an explanation of the relationship between cybersecurity and other types of security, a definition of stakeholders and a description of their roles in cybersecurity, guidance for addressing common cybersecurity issues, and a framework to enable stakeholders to collaborate on resolving cybersecurity issues. • ISO/IEC 27033-1:2015 | Information Technology – Security Techniques – Network Security – Part 1: Overview and Concepts Defines and describes the concepts associated with, and provide management guidance on, network security. This includes the provision of an overview of network security and related definitions, and guidance on how to identify and analyze network security risks and then define network security requirements. It also introduces how to achieve good quality technical security architectures, and the risk, design, and control aspects associated with typical network scenarios and network “technology” areas (which are dealt with in detail in subsequent parts of ISO/IEC 27033). o o o o o

The following companion documents are also available: o o

ISO/IEC 27033-2:2012 | Information Technology – Security Techniques – Network Security – Part 2: Guidelines for The Design and Implementation of Network Security ISO/IEC 27033-3:2010 | Information Technology – Security Techniques – Network Security – Part 3: Reference Networking Scenarios – Threats, Design Techniques and Control Issues

183

o o o •

ISO/IEC 27033-4:2014 | Information Technology – Security Techniques – Network Security – Part 4: Securing Communications Between Networks Using Security Gateways ISO/IEC 27033-5:2013 | Information Technology – Security Techniques – Network Security – Part 5: Securing Communications Across Networks Using Virtual Private Networks (VPNs) ISO/IEC 27033-6:2016 | Information Technology – Security Techniques – Network Security – Part 6: Securing Wireless IP Network Access

ISO/IEC 27034-1:2011 | Information Technology – Security Techniques – Application Security – Part 1: Overview and Concepts This standard provides guidance to assist organizations in integrating security into the processes used for managing their applications. It presents an overview of application security. It introduces definitions, concepts, principles, and processes involved in application security. The standard is applicable to in-house developed applications, applications acquired from third parties, and where the development or the operation of the application is outsourced. The following companion documents are also available: o o o o o o

•

ISO/IEC 27034-2:2015 | Information Technology – Security Techniques – Application Security – Part 2: Organization Normative Framework ISO/IEC 27034-3:2018 | Information Technology – Application Security – Part 3: Application Security Management Process ISO/IEC 27034-4: Under Development | Information Technology – Security Techniques – Application Security – Part 4: Validation and Verification ISO/IEC 27034-5:2017 | Information Technology – Security Techniques – Application Security – Part 5: Protocols and Application Security Controls Data Structure ISO/IEC 27034-6:2016 | Information Technology – Security Techniques – Application Security – Part 6: Case Studies ISO/IES 27034-7: 2018 | Information technology – Application Security – Part 7: Assurance Prediction Framework

ISO/IEC 27035-1:2016 | Information Technology – Security Techniques – Information Security Incident Management – Part 1: Principles of Incident Management The standard presents basic concepts and phases of information security incident management and combines these concepts with principles in a structured approach to detecting, reporting, assessing, and responding to incidents, and applying lessons learned. The principles given in this standard are generic and intended to be applicable to all organizations, regardless of type, size, or nature. Organizations can adjust the guidance according to their type, size, and nature of business in relation to the information security risk situation. It is also applicable to external organizations providing information security incident management services. The following companion document is also available:

184

o

•

ISO/IEC 27035-2:2016 | Information Technology – Security Techniques – Information Security Incident Management – Part 2: Guidelines to Plan and Prepare for Incident Response

ISO/IEC 27036-1:2014 | Information Technology – Security Techniques – Information Security for Supplier Relationships – Part 1: Overview and Concepts This standard is an introductory part of ISO/IEC 27036. It provides an overview of the guidance intended to assist organizations in securing their information and information systems within the context of supplier relationships. It also introduces concepts that are described in detail in other parts of ISO/IEC 27036. ISO/IEC 27036-1:2014 addresses perspectives of both acquirers and suppliers. The following companion documents are also available: o o o

•

ISO/IEC 27036-2:2014 | Information Technology – Security Techniques – Information Security for Supplier Relationships – Part 2: Requirements ISO/IEC 27036-3:2013 | Information Technology – Security Techniques – Information Security for Supplier Relationships – Part 3: Requirements Guidelines for Information and Communication Technology Supply Chain Security ISO/IEC 27036-4:2016 | Information Technology – Security Techniques – Information Security for Supplier Relationships – Part 4: Guidelines for Security of Cloud Services

ISO/IEC 27037:2012 | Information Technology – Security Techniques – Guidelines for Identification, Collection, Acquisition, and Preservation of Digital Evidence This standard provides guidelines for specific activities in the handling of digital evidence, which are identification, collection, acquisition, and preservation of potential digital evidence that can be of evidential value. It provides guidance to individuals with respect to common situations encountered throughout the digital evidence handling process and assists organizations in their disciplinary procedures and in facilitating the exchange of potential digital evidence between jurisdictions.

5.17.2 National Institute of Standards & Technology (NIST) NIST publishes a family of standards covering a range of cybersecurity topics, including how to create a security program, manage risk, and implement an incident management. In fact, NIST publishes over 175 Special Publications (SPs) that address security. To see them all, go to NIST’s publication search page located at https://csrc.nist.gov/publications/sp800. Figure 5-7 presents the most used of the NIST special publications:

185

Figure 5-7. NIST Special Publications

The following descriptions are publicly available on the NIST Computer Security Resource Center site located at https://csrc.nist.gov/publications/sp800. •

NIST SP 800-34 Rev. 1 | Contingency Planning Guide for Federal Information Systems Abstract: This SP assists organizations in understanding the purpose, process, and format of information system contingency planning development through practical, real-world guidelines. This guidance document provides background information on interrelationships between information system contingency planning and other types of security and emergency management-related contingency plans, organizational resiliency, and the system development life cycle. It also provides guidance to help personnel evaluate information systems and operations to determine contingency planning requirements and priorities.

•

NIST 800-40 Rev. 3 | Guide to Enterprise Patch Management Technologies Abstract: This SP explains patch management as the process for identifying, acquiring, installing, and verifying patches for products and systems. This publication is designed to assist organizations in understanding the basics of enterprise patch management technologies. It explains the importance of patch management and examines the challenges inherent in performing patch management. It provides an overview of enterprise patch management technologies, and it also briefly discusses metrics for measuring the technologies’ effectiveness.

•

NIST SP 800-53 Rev. 5 | Security and Privacy Controls for Information Systems and Organizations Abstract: This SP provides a catalog of security and privacy controls for federal information systems and organizations to protect organizational operations and assets, individuals, other organizations, and the nation from a diverse set of threats, including hostile attacks, natural disasters, structural failures, human errors, and privacy risks. The controls are flexible and customizable and implemented as part of an organization-wide process to manage risk. The controls address diverse requirements derived from mission and business needs, laws, Executive Orders, directives, regulations, policies, standards, and guidelines.

186

•

SP 800-55 Rev. 1 | Performance Measurement Guide for Information Security Abstract: This SP document provides guidance on how an organization, using metrics, identifies the adequacy of in-place security controls, policies, and procedures. It provides an approach to help management decide where to invest in additional security protection resources or identify and evaluate nonproductive controls. It explains the metric development and implementation process and how it can also be used to adequately justify security control investments. The results of an effective metric program can provide useful data for directing the allocation of information security resources and should simplify the preparation of performance-related reports.

•

SP 800-61 Rev. 2 | Computer Security Incident Handling Guide Abstract: This SP enforces that computer security incident response has become an important component of information technology (IT) programs. Because performing incident response effectively is a complex undertaking, establishing a successful incident response capability requires substantial planning and resources. This publication assists organizations in establishing computer security incident response capabilities and handling incidents efficiently and effectively. This publication provides guidelines for incident handling, particularly for analyzing incident-related data and determining the appropriate response to each incident. The guidelines can be followed independently of hardware platforms, operating systems, protocols, or applications.

•

SP 800-88 Rev. 1 | Guidelines for Media Sanitization Abstract: This SP outlines that media sanitization refers to a process that renders access to target data on the media infeasible for a given level of effort. This guide will assist organizations and system owners in making practical sanitization decisions based on the categorization of confidentiality of their information.

•

SP 800-100 | Information Security Handbook: A Guide for Managers Abstract: This SP provides a broad overview of information security program elements to assist managers in understanding how to establish and implement an information security program. Typically, the organization looks to the program for overall responsibility to ensure the selection and implementation of appropriate security controls and to demonstrate the effectiveness of satisfying their stated security requirements. The topics within this document were selected based on the laws and regulations relevant to information security. The material in this handbook can be referenced for general information on a topic or can be used in the decision-making process for developing an information security program.

•

SP 800-114 Rev. 1 | User’s Guide to Telework and Bring Your Own Device (BYOD) Security Abstract: This SP addresses the fact that many people telework, and they use a variety of devices, such as desktop and laptop computers, smartphones, and tablets, to read and send email, access websites, review and edit documents, and perform many other tasks. Each telework device is controlled by the organization, a third party (such as the organization’s contractors, business partners, and vendors), or the teleworker; the latter is known as bring your own device (BYOD). This publication provides recommendations for securing BYOD devices used for teleworking and remote access, as well as those directly attached to the enterprise’s own networks. 187

•

SP 800-125 | Guide to Security for Full Virtualization Technologies Abstract: The purpose of SP 800-125 is to discuss the security concerns associated with full virtualization technologies for server and desktop virtualization and to provide recommendations for addressing these concerns. Full virtualization technologies run one or more operating systems and their applications on top of virtual hardware. Full virtualization is used for operational efficiency, such as in cloud computing, and for allowing users to run applications for multiple operating systems on a single computer.

•

SP 800-160 Vol. 1 | Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems Abstract: This SP addresses the engineering-driven perspective and actions necessary to develop more defensible and survivable systems, inclusive of the machine, physical, and human components that compose the systems and the capabilities and services delivered by those systems. It starts with and builds upon a set of well-established international standards for systems and software engineering published by the ISO, the IEC, and the Institute of Electrical and Electronics Engineers (IEEE) and infuses systems security engineering methods, practices, and techniques into those systems and software engineering activities.

•

SP 800-171 B | Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations: Enhanced Security Requirements for Critical Programs and High Value Assets Abstract: The SP offers additional recommendations for protecting Controlled Unclassified Information (CUI) in nonfederal systems and organizations where that information runs a higher than usual risk of exposure. When CUI is part of a critical program or a high value asset (HVA), it can become a significant target for high-end, sophisticated adversaries (i.e., the advanced persistent threat (APT)). In recent years, these critical programs and HVAs have been subjected to an ongoing barrage of serious cyberattacks, prompting the Department of Defense to request additional guidance from NIST.

•

SP 800-181 | National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework Abstract: This publication describes the National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework (NICE Framework), a reference structure that describes the interdisciplinary nature of the cybersecurity work. It serves as a fundamental reference resource for describing and sharing information about cybersecurity work and the knowledge, skills, and abilities (KSAs) needed to complete tasks that can strengthen the cybersecurity posture of an organization. As a common, consistent lexicon that categorizes and describes cybersecurity work, the NICE Framework improves communication about how to identify, recruit, develop, and retain cybersecurity talent. The NICE Framework is a reference source from which organizations or sectors can develop additional publications or tools that meet their needs to define or provide guidance on different aspects of cybersecurity workforce development, planning, training, and education.

188

5.17.3 Center for Internet Security® (CIS) Controls The Center for Internet Security’s (CIS) Critical Security Controls for Effective Cyber Defense are a recommended set of actions for cyber defense that provide specific and actionable ways to stop today’s most pervasive and dangerous attacks. The CIS Controls are especially relevant because they are updated by cyber experts based on actual attack data pulled from a variety of public and private threat sources. Table 5-8 presents the version 7 of the CIS control library. Always check for the most current version at http://www.cisecurity.org/controls/.

Figure 5-8, Version 7 of the CIS Control Library (By CIS Controls™, licensed under a Creative Commons Attribution-Non Commercial-No Derivatives 4.0 International Public License)

5.17.4 Industry-Specific Cyber Security Standards Aside from the better-known cybersecurity standards, several emerging industry-specific standards are offered by private and government entities. The following introduce some of these new standards that may apply to your business in you are in any of the cited industries.

189

•

•

Institute of Electrical and Electronic Engineers (IEEE) – Cybersecurity Standards IEEE is the world’s largest technical professional organization dedicated to advancing technology for the benefit of humanity. IEEE was one of the earliest standard bodies to publish security standards and continues to this day. IEEE’s mission is to develop standards and related activities for infrastructure and networking that are necessary to design, generate, automate, operate, deliver, distribute, support, and connect energy to cities, homes, and systems (2019, IEEE). Cybersecurity is an integral part of this mission. The following are some of IEEE’s cybersecurity standards: o IEEE 1686-2013 – IEEE Standard for Intelligent Electronic Devices Cyber Security Capabilities. o IEEE P1815 – Standard for Electric Power Systems Communications-Distributed Network Protocol (DNP3). o IEEE 1888.3-2013 – IEEE Standard for Ubiquitous Green Community Control Network: Security. Instrumentation, Systems, and Automation Society (ISA) – Industrial Automation and Control Systems Security – 62443 Series of Standards The ISA 62443 series of standards have been developed jointly by the ISA99 committee and IEC Technical Committee 65 Working Group 10 (TC65WG10) to address the need to design cybersecurity robustness and resilience into industrial automation control systems (IACS). These elements are arranged in four groups, corresponding to the primary focus and intended audience. Figure 5-9 shows the ISA element security model.

Figure 5-9. ISA Standards Model

The following provides more detail for each of the ISA security standards: o 62443-1-1 2009 – Industrial Communication Networks – Network and System Security – Part 1-1: Terminology, Concepts and Models. o The 62443-2-1: 2010 – Industrial communication networks – Network and System Security – Part 2-1: Establishing an Industrial Automation and Control 190

o o

System Security Program. The 62443-3-1: 2009 - Industrial Communication Networks – Network and System Security – Part 3-1: Security Technologies for Industrial Automation and Control Systems. 62443-4-1: 2018 – Security for Industrial Automation and Control Systems – Part 4-1: Secure Product Development Lifecycle Requirements.

Organizations that design and manufacture products for the industrial control systems market should follow these security guidelines and standards to prove due diligence in secure design. Proving your organization followed security standards could substantially help in product liability cases due to breaches of security. TIP: To learn how to certify your organization’s products with ISA’s 62443 security standards, go to https://www.isasecure.org/en-US/. •

•

National Aerospace Standard 9933 – Critical Security Controls for Effective Capability in Cyber Defense In 2018, the Aerospace Industries Association (AIA) has developed a national aerospace standard referred to as NAS9933, which is meant to supplement Department of Defense requirements to provide more than minimum security requirements. NAS9933 is a voluntary standard that seeks to provide: o A means to assess the actual threat to members of AIA. o Tailoring of DOD mandated NIST SP 171. o Align fragmented and conflicting DOD requirements. NAS9933 consists of 20 control families published by the Center for Internet Security (CIS), and two additional control families aligned to the aerospace industry. Each control family consists of several sub-controls better known as Critical Security Controls (CSC) and within each family, these CSCs have been categorized into five capability levels. In short, instead of a one-size-fits-all checklist for compliance, this format establishes “Capability Level 3” as a minimum performance level, with Levels 4 and 5 as higherlevel objectives. Being found out of compliance with a DOD contract can carry far more consequences than a regulatory fine. The cost of losing a major contract, lost opportunity as well as fines and sanctions could prove unrecoverable for some defense contractors. National Highway Traffic Safety Administration (NHTSA) – Vehicle Cybersecurity With the rapid development of integrated automotive technologies, the NHTSA has adopted a multi-faceted research approach that leverages the National Institute of Standards and Technology Cybersecurity Framework. The NHTSA has committed to the following priorities: 1. A risk-based prioritized identification and protection process for safety-critical vehicle control systems; 2. Timely detection and rapid response to potential vehicle cybersecurity incidents on America’s roads; 3. Architectures, methods, and measures that design-in cyber resiliency and facilitate rapid recovery from incidents when they occur; and 191

4. Methods for effective intelligence and information sharing across the industry to facilitate quick adoption of industry-wide lessons learned. NHTSA encouraged the formation of Auto-ISAC, an industry environment emphasizing cybersecurity awareness and collaboration across the automotive industry. Although not a mandatory standard, the NHTSA expects automotive manufactures to account for cybersecurity threats in the design and manufacture of their vehicles. The NHTSA also wants to avoid another massive recall of vehicles due to cybersecurity vulnerabilities such as the one that occurred in 2015 when 1.4 million Fiat Chrysler vehicles were recalled correcting cybersecurity vulnerabilities to prevent hacking (Greenberg, 2015).

Summary After reading this chapter you should be left wondering, which industry-specific statutes apply to our organization? If that were not enough to ponder, you should also be wondering whether the products you manufacture or the digital services you provide must comply with specific security regulations as well. Addressing statutes covered in this chapter will require you extend your reach past the information technology domain and into the products and service domain. I wanted you to also be aware that failure to comply with many of these statutes can results in significant economic impacts to your organization.

192

Self-Study Questions The following exercises will help you understand how to interpret and adhere to private-sector cybersecurity standards. 1. Determine if your organization self-insures aspects of employee health insurance or have entered into an insurance agreement where health information is shared that would require HIPAA compliance. 2. Identify all private-sector statutes that apply to your organization. 3. Determine if your organization must comply with the EU Cybersecurity Act. 4. Determine which security standards are used to comply with Section 404 of the SarbanesOxley Act. 5. Inventory all the NIST SPs referenced within your organization. 6. Identify which CIS controls would provide the most protection against ransomware attacks. 7. Map the primary components of your organization’s cybersecurity program to ISO 27001, NIST or CIS. 8. Determine which regulations, standards or laws govern the security of manufactured goods or services appliable to your organization. 9. For defense contractors, determine if standard NAS9933 will enhance your organization’s compliance with DOD cybersecurity regulations. 10. Identify each statute that calls for media sanitation practices and define a best practice approach for your organization.

193

References Congress.gov. (2014, December 18). S.2521 - Federal Information Security Modernization Act of 2014. Retrieved from https://www.congress.gov/bill/113thcongress/senate-bill/2521 EUR-Lex. (2016, July 6). Directive (EU) 2016/1148 of the European Parliament and of the Council. Retrieved from https://eur-lex.europa.eu/legalcontent/EN/TXT/?uri=uriserv:OJ.L_.2016.194.01.0001.01.ENG&toc=OJ:L:2016:194:TO C Greenberg, A. (2015, July 24). After Jeep Hack, Chrysler Recalls 1.4M Vehicles for Bug Fix. WIRED. Retrieved from https://www.wired.com/2015/07/jeep-hack-chrysler-recalls1-4m-vehicles-bug-fix/ HHS.gov. (2019). HIPAA for Professionals. Retrieved from https://www.hhs.gov/hipaa/for-professionals/index.html HHS.gov. (2009, February 17). HITECH Act Enforcement Interim Final Rule. Retrieved from https://www.hhs.gov/hipaa/for-professionals/special-topics/hitech-act-enforcementinterim-final-rule/index.html IEEE. (2019). Mission and Vision. Retrieved from https://www.ieee.org/about/visionmission.html Ingves, S. (2018). Institute of Law and Finance. Basel III: Are we done now? Frankfurt. Office of the Comptroller of the Currency (OCC). 2016, September 9). FFIEC Information Technology Examination Handbook: Revised Information Security Booklet. Retrieved from https://www.occ.treas.gov/news-issuances/bulletins/2016/bulletin-201627.html NERC. (2019). Critical Infrastructure Protection Committee (CIPC). Retrieved from https://www.nerc.com/comm/CIPC/Pages/default.aspx Verizon. (2019, November 12). 2019 Payment Security Report. Retrieved from https://enterprise.verizon.com/resources/reports/payment-security/ U.S. Code of Federal Regulations (CFR). (2019, December 23). § 99.31 - Under what conditions is prior consent not required to disclose information? Retrieved from https://www.govregs.com/regulations/expand/title34_part99_subpartD_section99.31#title 34_part99_subpartD_section99.31 U.S. Food & Drug Administration, (2019, April 1). CFR - Code of Federal Regulations Title 21. Retrieved from https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfCFR/CFRSearch.cfm?CFRPart=11 &showFR=1

194

Chapter 6 Creating a Cybersecurity Law Program

At this point, you may be wondering how to take what you have learned and turn it into something actionable. In this chapter, I curate previously discussed subjects into a model that you may use to create your own cybersecurity law program. The program has two parts: the first is a formal structure to handle criminal and civil actions against your organization; the second is cyber liability insurance to hedge the impact of any potential litigation. Think of this as a strategy comprised of frontline legal defenses with a backup plan (insurance) when all else fails. You will learn how to create your program using some actual examples that I have found to be effective when building similar programs. Consider this approach as a guide rather than a rigid architecture that must be followed. I encourage you to leverage your experience as well as those of others in your organization to create something that is fit for purpose to your requirements and legal exposure. This chapter will help you to: •

Design a cybersecurity law program.

•

Define the roles and responsibilities for the people who will staff your program.

•

Create policies and procedures to effectively define and operate your program.

•

Leverage technology to automate critical components of your program.

•

Understand the value of adding cyber liability insurance to your program.

195

6.1 Cybersecurity Law Program It is one thing to have a lot of knowledge about cybersecurity law, but it is another to harness that knowledge into something that is pragmatic and usable. One way to make knowledge actionable is to leverage it into a program. In this case, it is creating a cybersecurity law program for your organization. Think of the program as your plan to accomplish something within a specific structure. I will provide you with a framework and definition of resources to build your program. You will learn how to assign people to roles, create policies and procedures, and leverage technology to make your program successful. The program will provide you with the means to ensure your organization complies with the myriad of laws and regulations as well as abide by the rules of procedure and evidence in the event your company is sued. 6.1.1 Model A model is an abstract representation of the structure that describes the basic workings of something. In our case, it is a cybersecurity law program. The model is an illustration of the moving parts of the program. Think of your organization’s cybersecurity law program as a multidiscipline collaboration where employees from different departments work together under a cohesive structure. The model’s highest level of definition is components. These components represented by the dark gray boxes show the focus areas of the program. The next level of definition is subcomponents, represented by the light gray. Subcomponents are the resources necessary to carry out specific actions to support the goals of the components. For example, to adhere to data privacy law adequately, your organization must assign people in accordance with policies and procedures that instruct them how to leverage technology to efficiently complete their tasks. A common law library is also required to document the program and provide the same level of knowledge to all program participants. The model in Figure 6-1 shows how components and subcomponents continuously interact. If you have ever used models in the past, you may have found that having a picture of what the end result looks like makes it much easier to build something. That is exactly the purpose of this model. Figure 6-1 is a conceptual model of a cybersecurity law program.

196

Figure 6-1. Cybersecurity Law Program Model

6.1.1.1 Components Components can be added or subtracted from the model depending on emphasis or scope of your business. For example, if your organization had numerous contractual agreements with specific security and data privacy provisions, you may wish to add a component called contract law. The subcomponents would not change, as they are designed to support any component of the model. Components represent areas of practice that are ongoing and require specific attention, updates, and support events that can have a material impact on your business. You would not want to add a component that would be used only once, because the model is not project-oriented. The following describes each of the model’s components: •

Cybersecurity Law: Concerned with how your organization adheres to the criminal and civil legal and regulatory statutes associated with cybersecurity.

•

Data Privacy Law: Concerned with how your organization abides by state, federal, and international data privacy laws.

•

Cryptography Law: Concerned with how your organization protects data-at-rest and data-in-transit according to geographical residency or data transit provisions, data privacy, and cybersecurity laws.

197

•

Digital Forensics Law: Concerned with how your organization conducts digital investigations in a manner required to produce legally admissible evidence.

•

Cyber Liability Insurance: Concerned with how your organization hedges civil lawsuits associated with data breaches using specialized liability insurance.

By design, not all components of the model may be required as cybersecurity law requirements generally differ between organizations. The model also removes much of the complexity of complying with cybersecurity and data privacy laws by grouping common practices into their respective components. Data privacy law activities are consolidated into a single component rather than treating them as separate activities spread across multiple components. For example, encryption is referenced within cybersecurity law and data privacy law components, but rather than duplicate these functions they have been consolidated in cryptography law. 6.1.1.2 Subcomponents The second level of the model are subcomponents, where essential shared resources are defined. For your program to be successful, resources must be assigned. Resources in the proposed model consist of the roles employees will assume to manage their day-to-day activities, policies that define the organization’s principles and positions on the law, procedures to ensure the program activities are executed predictably and repeatably, and technology to automate certain program activities. A law and regulations library or knowledgebase is also shared among the components to make information uniformly available. Rather than maintain laws in each component, they are stored centrally because a single law could be required by one or more components. The model is dynamic, meaning that any component may share any subcomponent interacting as needed. These interactions remove duplication of resources and functions. For example, the data breach incident response plan residing within the procedures component may be shared with the data privacy or cybersecurity law components. The following describes each of the model’s subcomponents: •

People: Defines the roles and responsibilities of the people required to operate the program.

•

Policies: Defines the principles and policies that guide the execution of the program.

•

Procedures: Defines the activities carried out by the people assigned to the program.

•

Technology: Defines the technology used to automate key activities of the program.

•

Law and Regulations Library: Defines the central repository where laws, regulations, contracts, and program support materials are maintained.

Subcomponents are organized into views, which collectively create the cybersecurity law program architecture.

198

6.1.2 Architecture The architecture is the design or blueprint of the program or its skeletal structure. Your program architecture will consist of three layers or views that segment subcomponents into business, functional, and technical views. Views are important as they describe the program from a stakeholder’s perspective. You may show your program to others within your organization, but unless relevance is immediately clear from their perspective, they won’t understand or even worse, may not support it. I think you will agree that explaining your program from the technical view to the legal department will result in a few glazed-over looks. •

Business View: Concerned with the people assigned to implement the program’s activities to ensure legal, regulatory, and contractual compliance. Policies define the business rationale and principles which guide the program’s activities. Key stakeholders in this view consist of legal counsel, senior management, and those who directly oversee cybersecurity and privacy.

•

Functional View: Concerned with how the program functions on a day-to-day basis as well as during critical times of escalation or key events such as a lawsuit. Key stakeholders in this view consist of managers of cybersecurity, data privacy, incident response, insurance, and legal.

•

Technical View: Concerned with what technology is used and how it is deployed and operated to support the program. Key stakeholders consist of security engineers, security architects, operations management, and application developers.

You have heard that a picture is worth a thousand words; an architectural depiction is no different. The architecture clearly and concisely presents how your cybersecurity law program is best structured and how it supports the views of your organization’s key stakeholders. Figure 6-2 is a visual representation of a cybersecurity law program architecture consisting of business, functional, and technical views.

199

Figure 6-2. Cybersecurity Law Program Architecture

6.1.3 Program Staffing and Roles Any successful initiative or program begins with the proper assignment of personnel; a cybersecurity law program is no different. For the most part, you should be able to assign virtually all roles to existing employees. Your goal should not be to create a bureaucratic structure, but rather a virtual, collaborative team comprised of legal, insurance, privacy, and cybersecurity employees. In some cases, you may be able to assign multiple roles to a single individual depending on the size of your organization and level of annual or ongoing legal activity. Ultimately someone will need to lead the program; I recommend you appoint someone from the legal department. If your organization uses outside counsel, the next logical person to lead the program would be either the chief privacy officer (CPO) or chief information security officer (CISO). Anyone assigned to one or more of these roles should possess the time to invest in 200

implementing the program. Initially, there will be more work resulting from the collection of laws and regulations and cross-mapping to security and privacy controls. Afterward, the work effort will consist mainly of program updates, except during times of major events such as data breaches or lawsuits. Figure 6-3 is an organization chart showing the logical coupling of the roles. This is not a suggestion to realign existing organizational or reporting structures, but rather present a virtual view of an organizational structure.

Figure 6-3. Cybersecurity Law Program Organizational Chart

As shown in Figure 6-3, these are the roles that you will require for an effective cybersecurity law program: •

Senior Legal Counsel: Accountable for the cybersecurity law program providing legal advice and oversight. May also have direct responsibilities for legal activities within various program components depending on the size of your organization and number of annual legal actions. This role is also referred to as Chief Legal Officer (CLO). This role will report lawsuit activities directly to the chief executive officer (CEO) and board of directors.

•

Cyberlaw Librarian: Responsible for maintaining a current repository of the laws and regulations covering data protection and privacy, cybersecurity, cryptography, digital 201

forensics, service contracts, and trade agreements. It is typical for this role to be assigned to in-house or outside legal counsel. •

Cyberlaw Analyst: Responsible for reviewing each of the laws, statutes, and regulations in the law library to determine their geographical applicability. The analyst will focus on reviewing each law for the specific language relating to the cryptography, forensics, data privacy, or insurance. Tip: Companies have had great success hiring interns or paralegals from local business or law schools to create the matrices and perform law mapping.

•

Cybersecurity Analyst: Responsible for identifying and implementing current data privacy and cybersecurity controls to support the provisions of the laws and regulations. The analyst builds upon the work completed by the cyberlaw analyst by aligning and documenting controls mapped to the applicable laws and regulations.

•

Chief Privacy Officer (CPO): The CPO is a key role within the program because many of the laws and regulations deal with the protection of information. The CPO may assume the responsibilities of all privacy related activities depending on the way the position is presently structured. This could include the collecting and mapping of laws and regulations related to privacy. The CPO will have significant influence in the selection of privacy-preserving technology deployed to protect information while it is in use.

•

Insurance Risk Manager (IRM): The IRM role owns the cyber liability policy and is responsible for ensuring that your company complies with all the required provisions of the policy. The IRM will evaluate each claim situation and, in collaboration with senior legal counsel, determine if a claim can be made. The IRM is also responsible for performing exposure analysis and maintaining oversight of the self-insured loss pool.

•

Chief Information Security Officer (CISO): The CISO has direct accountability for the cybersecurity analyst and forensics lead ensuring a system of checks and balances. The CISO verifies the mapping of the controls to laws and regulations in consultation with the CPO.

•

Digital Forensics Lead: This role is one where the primary activities begin after a data breach or cybersecurity incident. Nonetheless, the person in this role will need to be actively involved in pre-breach incident planning and integration of the rules of procedure with incident response plans.

6.1.3.1 Accountability Matrix Whenever there are multiple people involved in a program, disputes over roles and responsibilities are common. An effective way to resolve these disputes is using a RACI diagram. RACI is an acronym for Responsible, Accountable, Consulted, and Informed. RACI 202

charts are an easy way to clearly show the responsibilities of the roles of the personnel involved in the cybersecurity law program. •

Responsible: This is the person who is primarily responsible for carrying out the activities of the role. More than one person can be responsible for a role given its complexity and level of effort.

•

Accountable: This person is the one solely accountable for the success of the activities within a role. Unlike responsible, there can only be one accountable person per role. They also play the role of the verifier, ensuring the activities of the role are performed correctly.

•

Consulted: These people, and there can be many, are consulted to ensure that activities are carried out based on the best advice available. People consulted can be outside the company if they play an ongoing role in the cybersecurity law program.

•

Informed: These people are informed of the decisions or actions of the program as part of the communications strategy. Informing others can be directly or indirectly through website postings.

Table 6-1 shows how a RACI diagram is populated. Table 6-1. RACI Diagram

6.1.4 Program Policies A series of policy statements will be required to support the cybersecurity law program. These statements describe how your organization will address the various aspects of the cybersecurity law program. Policies differ from procedures: policies are descriptive, and procedures are prescriptive. Your existing policy format should be used, or you may follow the format example 203

noted in the tip below. One of the goals in creating this program is to integrate the cybersecurity law program requirements into your existing cybersecurity program. Remember that not all policy statements may apply to your situation. TIP: If you desire additional examples of how to create policies, the SANS Institute’s Security Policy Project has made available excellent sample policies that you may use as a template.

It is likely that your organization has some form of security policy manual. However, you may not have the specific policy statements to cover the areas of cybersecurity law. Should you find these types of statements missing in your policy manual, I have drafted several policy statements that can be used to supplement your existing policy manual. These policy statements do not constitute a full policy, but only the statement. You will need to customize these statements to bring them into alignment with your current policy manual format. •

Cryptography. The following policy statements cover eight specific areas of cybersecurity law and cryptography introduced in Chapter 4 of this book: o Cryptography Patent Infringement: No cryptography algorithms shall be used unless the patent has either expired or the company maintains a valid license. License arrangement must meet the expected use of the product or service life as well as comply with export control guidelines. o Encryption Personal Use Exemption: Travel by employees to countries that do not extend personal use exemptions will require authorization by the legal department and the filing of an encryption import license. o Export Control Law: Software or hardware products containing an encryption level higher than 512-bit key encryption will not be sent or used outside of the US in compliance with Export Administration Regulations. o Healthcare Data Privacy: Personal healthcare information (PHI) of employees or customers, regardless of the Health Insurance Portability and Accountability Act (HIPAA) compliance requirements, will be encrypted with an algorithm and processes prescribed by the company’s PHI risk assessment. o Import Control Law: In the event travel or equipment deployment is required within an import restricted country, an appropriate license will be filed, and only after US Department of State approval will the activity proceed. o International Encryption Law Compliance: Data sent to and stored in foreign countries will comply with all local encryption laws. If local encryption law requires a lower level of key length than currently used, an application for an export license will be necessary. o Key Disclosure Laws: Employees traveling to countries that require key disclosure will abide by all local encryption laws including providing the password to decrypt 204

information requested by local authorities. Any time a request is made the employee will immediately notify the legal department. o State Encryption Safe Harbor Provisions: Encryption of personal data at a level meeting or exceeding the highest-level key length of any state will be followed to ensure compliance with all state safe harbor provisions. •

Data Privacy. The following policy statements cover three specific areas of cybersecurity law and data protection introduced in Chapter 3 of this book: o Federal Children’s Online Privacy Law: Applications or systems that interact with minors (13 and under) will comply with the standards of the Internet Keep Safe Coalition (iKeepSafe), a nonprofit international alliance of advocates for children, established in 2005, and its Safe Harbor program under the Children’s Online Privacy Protection Act (COPPA). o Privacy Law Library: A current library of state, federal, and international privacy laws will be maintained. Cross-mapping will be performed on each law to facilitate an understanding of which law applies to which geographical coverage of operations or customers. A cross-mapping of security controls with legal requirements will be maintained to ensure alignment with the cybersecurity program. o State Minor’s Privacy Acts: Applications or systems that interact with minors (17 and under) will abide by all provisions of any state’s child privacy law including prohibiting the sale of dangerous products and complying with requests to remove personal data.

•

Digital Forensics. The following policy statements cover five specific areas of cybersecurity law and digital forensics introduced in Chapter 4 of this book. o Digital Best Evidence Rule: Digital evidence will be gathered according to the Federal Rules of Evidence under the oversight of the legal department. o Digital Chain of Custody: To ensure evidence in a cybercrime investigation is admissible in a court of law, all evidence will be gathered according to the US Department of Justice’s Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations manual under the oversight of the legal department. o Digital Data Spoliation: In the event of a pending lawsuit or issuance of a preservation order, no employee or contractor will destroy or alter in any way the data identified by the court order. o Preservation Order: Once a preservation order has been received, no action will be taken unless and until the direct oversight of the legal department has begun. All documents requested will be secured in a manner as to preserve them for plaintiff discovery. 205

o Search and Seizure of Encrypted Data: If a discovery order is received to produce information, full cooperation will be provided to the plaintiff’s legal counsel and the data will be decrypted and submitted. This process can only occur under the direction of legal counsel. •

Cyber Liability Insurance. The following policy statements cover two specific areas of insurance introduced in Section 7.2 of this chapter: o Cyber Liability Insurance Policy: The company will carry a cyber liability insurance policy for up to $5 million above the self-insurance loss pool of $1 million with a $100,000 per loss deductible for third party losses. o Annual Coverage Assessment: An annual assessment of cyber liability coverage will be performed considering the estimated loss exposure for a data breach based on the projected number of compromised records in the next physical year.

6.1.5 Program Procedures A procedure corresponding to each cybersecurity law policy will be required to ensure that the guidance of the policies is carried out in a predictable, repeatable manner. Procedures are the prescriptive guidance on how an activity should be completed to accomplish the desired outcome. A procedure format that I have always felt was the most comprehensive was based on the Information Technology Infrastructure Library (ITIL) standard. ITIL is a set of practices for Information Technology Service Management (ITSM), which provides guidance on aligning information technology with the business. One of the areas where ITIL excels is documentation including procedures, processes, tasks, and checklists. Table 6-2 is a sample ITSM-based procedure which you can use as a template to create other procedures. Table 6-2. Sample Procedure Digital Evidence Procedure Name

Legally Obtaining and Managing Digital Evidence

Purpose

The purpose of this procedure is to identify the specific tasks necessary to ensure compliance with state and federal laws of digital evidence gathering and preservation.

Exclusions

This procedure does not replace existing forensics or incident response procedures and only addresses the legal aspects of digital evidence.

Scope

This procedure applies to all electronic information residing in applications (Microsoft Office, etc.), cloud storage, databases, emails, files, storage devices, text messaging, USB drives, web pages, or any other computer generated or stored data. 206

Digital Evidence Procedure Prerequisites

Performing this procedure will require one or more of the following forms obtained from the legal department: 1) Data Preservation Letter; 2) Request for Production of Documents; 3) Letter Appointing Third Party Neutral Expert; 4) Deposition Notice; 5) Interrogatories; 6) Non-waiver and Confidentiality Agreement; 7) Custodian Interview Sheet; and 8) Onsite Detail Gathering Questionnaire. Note: Provide links to documents in your knowledgebase.

Responsibilities

The following personnel have been identified to perform the required activities within this procedure: 1) Legal Counsel; 2) Cybersecurity Program Manager; 3) eDiscovery Lead; 4) Security Analyst; 5) Data Storage Manager; 6) Forensics Expert; and 7) Private Investigator. Note: Some of these roles may reside outside of your RACI as they are not directly part of the cybersecurity law program.

Processes

Include a process flowchart. The diagram consists of activities connected by decisions points.

Tasks

Step 1) Secure Digital Evidence from Further Use; Step 2) Begin Evidence Log; Step 3) Contact Forensic Expert; Step 4) Assign Legal Counsel Representative; Step 5) Complete Best Evidence Log; Step 6) Begin Best Evidence Collection; Step 7) Start Chain of Custody Log; Step 8) Secure Evidence; and Step 9) Video Document Process.

References

During the execution of this procedure, it may be helpful to reference the following policies, laws or government standards: 1) Title 18 Crimes and Criminal Procedure; 2) California digital forensics statute; and 3) the US Department of Justice’s manual, Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations. Note: Provide links to documents in your knowledgebase.

Definitions

The following terms may not be familiar to all personnel executing this procedure: 1) Best Evidence: Digital content that can be proven to represent the most authentic evidence; 2) Spoliation: Any erasure, alteration or modification of digital information to alter the course of a lawsuit.

207

6.1.6 Program Technology Technology can be leveraged to improve the effectiveness of the people executing tasks within the program. You should consider where it makes sense to invest in the right tools to reduce the manual effort to accomplish the many activities required of the program. You should also remember that technology is not a silver bullet and that not all tasks need to be automated. Consider that 41% of organizations manage their legal programs using manual or semiautomated methods such as Microsoft Office products (Harris, 2017). Some of the more critical areas to automate would be in the elimination of data spoliation and breaks in the chain of evidence custody. To help you determine the types of technology to consider, I have highlighted below some of the most widely used in similar programs. Did You Know? 6.1.6.1 eDiscovery Software In Brant Flax v. Pet360, Inc., et al., C.A. No. 10123-VCL, hearing (Del. Ch. June 29, 2015), concerns regarding increasingly aggressive tactics being used in eDiscovery nationally were raised. Does your legal department understand reasonable eDiscovery? Source: https://margravelaw.com/wpcontent/uploads/2016/05/2016-0428-Scheduling-Order.pdf

Organizations that expect involvement in several data breach lawsuits or regulatory inquiries over the course of a year may wish to consider a software product specifically designed to manage the litigation process. Electronic discovery (eDiscovery) software ensures the best possible outcome from the gathering to the management of digital data discovery. These products include capabilities for legal holds, digital data collection, processing of evidence, analysis of evidence, and review and production of court documents. Within your company lives vast amounts of potentially discoverable information. If your business maintains documents in foreign languages, you will need a solution that also searches in native languages to accommodate discovery requests globally.

The eDiscovery software is designed to support Rule 34 of the Federal Rules of Civil Procedure. What is important for you to know about this rule is that when your company is involved in a lawsuit and under discovery, you must produce any pertinent electronically stored information. Electronic data consists of memos, emails, network diagrams, PowerPoints, Excel spreadsheets, and any other data the plaintiff requests in their discovery motion. This essentially means that if you store it electronically, it potentially can be discovered. In 2015, the Federal Rules of Civil Procedures added several new requirements. You will need to ensure that your company is advised by a law firm that understands the differences in the old and the new rules to avoid having evidence or even a case dismissed for circumstances related to poor procedures. Spoliation sanctions are substantially more severe when parties do not preserve their electronic data. Another change in the rule is to ensure that discovery requests are not overly broad and are proportional to the specific issues in the case (Grounds, 2015). Several

208

other changes related to the speed at which discovery data must be submitted and its accuracy may lead you to adopt an eDiscovery platform sooner rather than later. Although 2015 represented a major change in the rules of procedure, they are hardly the only changes. It is important that the rules of criminal as well as civil procedure are reviewed annually. In 2018, the Supreme Court approved amendments which change the process of serving and filing pleadings and other papers. Not following these changes could have a material impact of your case. The eDiscovery software allows you to securely upload documents for disclosure creating an index and inventory of the data. These programs are also designed to search vast volumes of data looking for specific terms or data specified in the discovery or preservation order using sophisticated data analytics. One of the unique aspects of these products is that they learn and adapt during the searches, expanding discovery to other digital data that may be relevant through learned relationships. For example, if your company is involved in a contract dispute, you may be focusing only on the contracts and not the interactions with those contracts. The eDiscovery software will search for relationships with the contract in question, looking for such connections as to who downloaded copies, wrote related emails, or created supporting memorandum. Sources of eDiscovery software is included in the Appendix. TIP: Ensure that a comprehensive data retention and data retirement policy and practices are in place to prove to a court that any data destroyed was a result of company policy and not purposeful spoliation.

6.1.6.2 Law and Regulations Library Your program will require a significant quantity of documents that will need to be stored and easily accessed by program participants. One example is that all of the laws to which you will need to adhere should reside in a document repository such as Microsoft’s SharePoint where they can be meta-tagged or indexed with appropriate search criteria. SharePoint is a product that serves as a secure document repository that stores and organizes virtually all forms of information. Meta tagging is a way to tag or flag a document with keywords so that anyone searching for that kind of information may locate it. When flagging your documents in the knowledgebase, you should use minimum standard search criteria of keywords to include. Table 6-3 provides you with a starter set of keywords to use for meta tagging your documents.

209

Table 6-3. Sample Document Meta Tags Category of law

Civil, criminal, contract

Program component

Cryptography, forensics, data privacy, insurance

Document attributes

Effective date, owner, source, review cycle

Geographical applicability

City, county, state, country

Jurisdiction

State, federal, international, municipal, regulatory

Document type

Agreement, contract, law, regulation, statute, treaty

It would not be uncommon for the repository to contain over one hundred laws and regulations alone. Add to that all the policies, procedures, and reference material, and you may need to manage over 500 documents making a central knowledgebase essential. Tip: Within the geographical applicability field, the estimated number of customers or business operations should be noted. This will support the decision process of determining when to make a data breach notification because data breach notifications are based on the number of affected records or customers.

6.1.6.3 Legal and Regulatory Update Subscription Maintaining currency with this number of legal documents as well as knowing when laws are introduced can be a time-consuming endeavor. One way to automate this process is to obtain a subscription from either Thomson Reuters’ Westlaw or RELX Group’s LexisNexis. A less expensive way of acquiring and updating the numerous documents required would be to search for them individually and then where possible setup a Really Simple Syndication (RSS) feed to be alerted to changes in various documents supported by the feed. RSS is a technology used to track websites and stream updates to a data repository, such as a spreadsheet or database. This makes keeping up with changes in the law more efficient. Table 6-4 provides free sources for gathering and maintaining legal documents for your law library:

210

Table 6-4. Free Legal References Source

URL

Code of Federal Regulations

https://www.gpo.gov/fdsys/browse/collectionCfr.action?selected YearFrom=2016&go=Go

Federal Laws

https://www.congress.gov/

International Data Breach Laws

https://www.dlapiperdataprotection.com/

State Data Breach Laws

http://www.ncsl.org/research/telecommunications-andinformation-technology/security-breach-notification-laws.aspx

Supreme Court

http://caselaw.findlaw.com/

6.1.6.4 Policy Compliance Scanning Once you have identified and deployed all the cybersecurity and privacy controls required to adhere to applicable laws and regulations, you will want to ensure they maintain a stable state. Attempting to do this manually is nearly an impossible task. Thankfully there are products and services available that can scan your network testing your cybersecurity and privacy controls to the policies you established to maintain compliance. Policy scanning is available as a cloudbased service or a standalone product you run yourself. These products and services work by allowing you first to define the policies that you wish to enforce. Next, they scan your network, databases, servers, and applications looking for and testing those controls to verify they are deployed and working. Policy scans can be outside or behind your firewall. Your scan history is stored securely so you can prove which security controls were in place and work at the time of a data breach if your cybersecurity program effectiveness is called into question in a lawsuit. Table 6-5 provides you with a source of privacy scanning software. Table 6-5. Privacy Scanning Software Product

Company

URL

ControlScan

ControlScan. Inc.

https://www.controlscan.com/

CloudSploit

CloudSploit, LLC

https://cloudsploit.com/

Netwrix Auditor

Netwrix Corporation

https://www.netwrix.com/company.html

Privacy Compliance Scan myPrivacySolutions BV

https://www.privacycompliancescan.com/

TrustArc

https://www.trustarc.com/

TrustArc Inc.

211

6.1.6.5 Forensic Toolkits When conducting data breach investigations, your organization will require a forensics toolkit to either identify evidence destroyed by employees or create evidence according to the best evidence rule. These tools work by saving an image of a hard disk and confirming the integrity of data during the process to produce legally admissible evidence. Whichever product you decide to use, it should be one that will hold up to legal scrutiny. Two such products that I have used in the past, Forensic Toolkit (FTK)® and EnCase Forensic are both court-cited digital investigations products. A comprehensive list of forensic toolkits can be found at https://resources.infosecinstitute.com/computerforensics-tools/ as well as in Appendix A. 6.1.7 Mapping Legal Requirements to

Did You Know? In Nucor Corp. v Bell, a forensic witness’ testimony was invalidated. The court ruled that the facts demonstrated to the Court that Jorgensen’s opinions on the wiping functionality of Ultimate Cleaner were unreliable. Would your digital forensics expert and forensic toolkit stand up to a Daubert Challenge? Source:

https://www.theexpertinstitute.com/ case-studies/computer-forensicsexpert-witness-evaluates-destructionof-digital-evidence/

Controls You will find that an important activity within the program is mapping cybersecurity and privacy controls to specific provisions of the various laws and regulations to which your company must abide. This can be accomplished using a Microsoft Excel spreadsheet. Begin by examining each law and flagging instances where a specific requirement is cited. Then review the laws that relate to a legal or regulatory requirement to implement data encryption. Next, inventory the specific provisions related to encryption. Once your spreadsheet is completed, you can align your existing controls to comply with those requirements. Table 6-6 is an example of mapping using the cryptography law component.

212

Table 6-6. Cryptography Control Mapping Legal Provisions of Complying with Cryptography Law Law

Legal Requirement

Current Control or Standard

State Encryption Safe Harbor Provisions

Encryption key-bit length requirement of 128-bits or higher.

512-bit standard is adopted.

Children’s Online Privacy Protection Act

Self-regulatory safe harbor framework.

iKeepSafe safe harbor program deployed.

Wassenaar Arrangement

Personal use exemption.

Employee work-related travel restricted to Canada, Japan, and the UK.

UK Key Disclosure Law

Submit data encryption key upon request of law enforcement.

Key disclosure policy and procedure published in the policy manual.

HIPAA Security Rule

NIST encryption standard requirement for PHI data at rest.

Company-wide adoption of NIST SP 800-111.

This mapping will allow cybersecurity program personnel to verify and align security and privacy controls to ensure cybersecurity law compliance. Tip: Check out the Unified Compliance Framework® (UCF) for products offered on mapping cybersecurity and privacy laws to internationally accepted controls such as ISO 27002 and NIST SP 800-53.

213

6.1.8 ISO/IEC 27002 on Compliance Controls If you would like to reference a standard for the further definition of your cybersecurity law program, I enourage you to acquire the current version of ISO/IEC 27002, Information technology – Security techniques – Code of practice for information security controls, at the ISO Store. Subsection 18.1, Compliance with legal and contractual requirements, focuses on deploying controls to avoid violations of laws and regulations, as well as contractual obligations. The controls will guide you in: • • • • •

Did You Know? Often referred to as the negligence or “failure to follow” exclusion, some carriers contain within their policy language, a specific exclusion which precludes coverage for claims arising from the insured’s failure to maintain minimum/adequate security standards. Can your company prove it maintains adequate security controls?

Identifying and analyzing applicable laws and regulations. Source: https://www.gbainsurance.com/avoid Implementing protection for intellectual ing-cyber-claim-denials property. Deploying an approach to protect organizational records. Identifying and protecting personally identifiable information (PII). Identifying and complying with cryptography rules and regulations.

6.2 Cyber Liability Insurance Cyber liability insurance policies evolved from errors and omissions (E&O) insurance policies. Twenty years ago, companies could purchase policy riders for software failures, unauthorized access to systems, destruction of data, and computer viruses. Early policies were referred to as network Did You Know? security or Internet liability policies. At the beginning of The number one claim made on 2005, policies were widely available to provide specific cybersecurity insurance policies was a system glitch. The average claim coverage for data breach incidents. These policies were was $19.5 million between 2013 to particularly popular with retailers who held a significant 2017. amount of exposure from the credit card data they held and processed. Based on customer demand, insurance Would your digital forensics companies launched cybersecurity and privacy liability expert and forensic toolkit stand up to a Daubert Challenge? policies. It is estimated that one in three companies now has some form of data breach insurance policy (DiCanio, Source: 2015). https://www.statista.com/statistics/ 667597/cyber-insurance-claim-costnorth-america-by-cause-of-loss/

According to AIG, insurance underwriters collected $1.6 billion in premium income in 2015. Allianz projects premium income to grow to $20 billion by 2025 214

(Ramsinghani, 2016). In my experience with customers, premiums can range from $15,000 to $50,000 for one million dollars in coverage depending on risk. Cyber liability policies can include the following components: •

Errors and Omissions: This type of insurance covers non-fraudulent causes of failures or errors occurring in the performance of computer services. Technology companies offering cloud, software, or consulting services typically acquire this type of insurance.

•

Media Liability: This type of insurance covers customer injury claims resulting from intellectual property infringement, copyright or trademark infringement, libel, and slander. Coverage could also be extended to patents or trade secret violations. This coverage is important to organizations with sizable online presences.

•

Network Security: This type of insurance covers network equipment failures or external attacks against your network including denial of service attacks. Network outages or breaches covered can include data breaches of consumer information, cyber extortion, data alteration or destruction, or malware infestations.

•

Privacy: This type of insurance covers breach of physical records caused by theft, loss, or accidental disclosure. Other incidents that may be covered include improper disposal of equipment containing sensitive data and inadvertently collecting confidential information.

•

Network Security and Privacy Liability: This type of insurance is a hybrid policy that also provides coverage for both the insured company and their third-party service providers. It covers the costs for responding to and recovering from data breaches, including penalties assessed from a lawsuit.

6.2.1 Coverage Categories Cyber liability policies can be acquired to cover either first party losses, i.e., losses your company experiences solely, or third party loses, i.e., losses that others experience as a result of your data breach. Before determining what type of policy is best for your company, it is important to include areas of coverage that you have identified from your business impact or risk assessment. This will allow you to align appropriate levels of insurance without over or under insuring for losses. Table 6-7 presents coverage available for first- or third-party losses.

215

Table 6-7. First and Third Party Loss Coverage First Party Losses • • • • • • • • • • •

Third Party Losses

Cost to pursue indemnity rights. Crisis management expenses. Data ransom. Data recovery. Good faith advertising. Forced cybersecurity program oversight expenses. Hiring forensic experts. Hiring of private investigators. Litigation defense. Loss of profits caused directly by the breach. Making legally required data breach notifications.

• • • • • • • •

Compromised intellectual property loss. Costs of responding to regulatory inquiries. Data transfer losses. Impaired access. Lawsuit settlements. Liability to financial institutions for reissuing credit or debit cards. Offering credit monitoring services as part of a settlement. Regulatory fines.

These categories also align to first- or third-party related expenses. Once again, first party expenses are your direct costs; third-party costs are those costs relating to those whom your company’s breach may have harmed. You will need also to focus on what is covered within each of these categories. For example, even though you may have a $5 million policy, you may only have $100,000 coverage for forensics related costs. This would be an example of a sublimit. A sublimit is an amount of insurance coverage available to cover a specific type of loss. I have seen customers become quite upset when they realize their $5 million of coverage only allows $250,000 for a loss event. Your risk assessment should guide you to which policy categories you should focus on. Also consider insurance based on your company’s residual risk. Residual risk is the risk that is left after you have applied all your security controls. For example, if you have a risk score of five (or moderate) according to a point scale for a data breach, it may be enough to have a sublimit for $250,000 of data breach related costs. However, after you apply compensating controls and your risk score remains at eight, you may want to increase the coverage sublimit. If you have the money and you don’t want to have to worry about sublimits, you can always acquire a blanket insurance policy. Some of the most expensive policies offer blanket coverage with no sublimits. You will also need to consider the deductibles for each sublimit to make sure you are not paying for insurance that you could never use because the deductible pays for a specifically categorized area of coverage. Because deductibles can vary widely, you would do best to shop for policies. You will also need to read the fine print because there will be various conditions for each claim. Examples of these conditions include the period your network is down for a denial of service 216

attack, how complete your security controls are, and even if you were completely truthful on your policy application. Some businesses have learned that filing a data breach claim against their commercial general liability or property insurance policies is problematic and there is no guarantee their claim will be approved. Insurance companies have claimed these types of policies were never meant to cover data breaches and began commonly including data breach exclusions in new and renewed policies. Insurance companies have a long and litigious history of denying claims where customers have claimed their electronic data is property and subject to coverage under their general loss policy. You will need to decide if you are willing to gamble that your existing policy will cover a data breach or be proactive and conduct a thorough policy review to understand how your policy performs in the event of a data breach. 6.2.2 Policy Restrictions As with anything in life, nothing is without boundaries, and cyber liability insurance policies are no exception. As with most types of insurance policies, consequential or abstract losses are not covered. Insurance companies are going to need concrete demonstrations of loss like how courts have ruled that victims of data breaches need to prove a real loss. The following categories of loss, although very real, are not likely to be covered by your insurance policy: • • • • • •

Claims based on subsequently proven inadequate security controls. Claims made on invalid or untruthful policy application declarations. Costs of upgrading failed security systems. Intangible calculations for loss of your company’s reputation. Intrinsic loss of intellectual property. Projections for loss of future revenue.

You should conduct a business impact assessment (BIA) of your company’s exposure to uninsured coverage losses. Treat the cyber insurance policy restrictions mentioned above as vulnerabilities in the context of a risk assessment. 6.2.3 Policy Value Many of us view insurance as a painful expense that may never be needed. Cyber liability insurance is a bit different in that the policy provides some services that most companies don’t think of when they start considering acquiring such policies. Insurance companies offering these types of policies have a vested interest in your company not getting compromised and recovering as quickly as possible with the least cost. A cyber liability insurance policy can help even when no claim exists by providing: • • •

Access to cyber breach lawyers. Access to cyber breach forensic experts. Access to pre-breach risk avoidance advice. 217

• •

Advice on limiting exposure to cyber breach lawsuits. Access to cyber breach documentation portals.

6.2.4 Policy Cost The cost of cyber liability insurance is based on risk consisting of industry threat profile and loss history, current cyberattack safeguards, the sensitivity of data retained, and requested levels of coverage. Based on these factors, the cost varies widely even among insurance companies offering these types of products. To provide you with a basis of cost, I analyzed cyber liability insurance policies from 35 companies across seven industries with an average of $138.8 million in annual revenues. The raw data for this analysis came from a website posting from Cyber Data Risk Managers LLC (Marciano, 2016). The average policy amount was $3.71 million with an average annual premium of $20,309. Each dollar of cyber liability insurance costs these companies less than one-half cent. You can use this data to arrive at a rough order of magnitude estimate for what a cyber liability policy would cost your business. The following are some additional facts from my research: • • • • •

Most policy coverage limits came in increments of $1 million, $2 million, $5 million, and $10 million. Financial companies paid the highest premiums followed by technology companies. Services companies paid the least in premium payments. Technology companies purchased the highest levels of coverage, followed by retail. Healthcare, technology, and services companies bought most of the policies.

The significant increase in cyberattacks has caused insurers to increase the cost of cyber liability insurance premiums as well as raise deductibles. Averages rates for retailers rose 32% in 2015 (Finkle, 2015). Cyber liability policies are available up to $100 million; however, keep in mind, the more coverage you seek, the more due diligence the insurance company will do in advance of issuing a quote. 6.2.5 Policy Claims To understand where companies have made claims against their cyber liability insurance policies I looked to the 2018 Cyber Claims Study produced by NetDiligence, a cyber risk assessment and data breach service company. The study was based on an analysis of 1,201 claims made claims against their policies as reported by the underwriters who approved the claims. Please note that data breaches are commonly reported in terms of compromised records, meaning that a single breach could include millions of records. The following are the key findings from this report: • • • • •

Average breach claim was $603,900. The average payout for crisis services was $307,000. The average claim for a large company was $8.8 million. Defense:  average = $106,000, median = $17,000. Settlement: average = $224,000, median = $58,000. 218

• •

Regulatory Defense: average = $514,000, median = $84,000. Regulatory Fines: average = $18,000, median = $11,000.

To gain more insight on how others have used their cyber liability insurance policies, I encourage you to read this important report available at https://netdiligence.com/wpcontent/uploads/2018/11/2018-NetDiligence-Claims-Study_Version-1.0.pdf. Tip: Calculate data breach costs based on the estimated number of impacted records and the average cost of remediation based on the NetDiligence data loss numbers presented within their 2018 report.

6.2.6 Policy Claim Disputes As popular as cyber liability insurance is, it is not without its controversy. In some widely publicized cases, insurance companies or claimants have sued one another after a breach either looking to avoid paying or enforcing their policy to receive payment. One such case, CNA v. Cottage Health, was discussed in Chapter 2. If you have ever renewed an insurance policy after you have had a claim, you know that it can be problematic with insurance companies wanting to drop you or raise your rates. Cyber liability insurance companies are no different. Companies have publicly reported that insurers have either refused to renew their policies or substantially increased their premiums or deductible amount. The following are some of the reasons that insurance companies have denied paying on data breach claims: • • • • • • •

Failing to have a certified and qualified security professional in charge of cyber security. Failing to perform vulnerability scans at regular industry accepted periods. Failing to follow accepted industry security standards such as Payment Card Industry Data Security Standard (PCI-DSS). Failing to adhere to policy provisions. Failure to pay premiums on time. Failing to exhaust provisions of other related policies such as general liability policies. Failing to meet the self-funding provisions of the policy.

It will be critical for you to work closely with your insurance broker or company risk insurance manager to understand how to comply with the provisions of the policy and avoid denial of a claim. It is also important to understand what type of coverage may be included in your commercial general liability (CGL) policy. 6.2.7 Policy Lawsuits Described below are some interesting court precedent cases involving insurance and claimant’s lawsuits.

219

6.2.7.1 P.F. Chang’s v. Travelers Indemnity Co. Travelers Companies filed a lawsuit against their customer P.F. Chang’s China Bistro, Inc. stating that it is not obligated to cover defense costs related to the restaurant chain’s 2013 data breach of over seven million customer records. Travelers claimed that the chain had a separate cyber liability insurance policy that they had not made a claim against and that the chain had not met its liability self-funded retentions endorsement of $250,000. What is important about this case is that insured companies will need to understand how insurance policies from different companies treat their claim, as well as their need to ensure they exhaust all their policy obligations before making a claim (Sturdevant, 2014). You need to understand how primary and subordinate policies pay claims and what provisions may exist that could cancel out certain policy features such as self-funding endorsements. 6.2.7.2 Recall Total Information Management Inc. v. Federal Insurance Co. In this case, the Connecticut Supreme Court ruled that there was no coverage for the loss of computer tapes containing IBM employees’ PII when they fell out of the back of a Recall courier van. The court stated that there was no evidence that the data was accessed and subsequently there was no harm. What is important about this case is that insured organizations will need to prove PII was compromised to receive payment on a claim (Lavine, 2014). 6.2.7.3 Retail Ventures v. National Union Fire Insurance Co. National Union Fire Insurance filed an appeal in the United States Court of Appeals for the Sixth Circuit requesting that a previous judgment of $6.8 million plus expenses be vacated. In this case, DSW Shoe Warehouse, Inc. was awarded $6.8 million in stipulated losses to be paid by the insurer under their blanket crime policy for a 2005 hacking incident after the insurer refused to pay. The costs incurred by DSW were related to expenses related to resolving the breach, compensating customers, and payment of fines. The court ruled for DSW denying the insurer’s appeal. What is important about this case is that the court ruled that an insurer’s non-cyber but general commercial crime policy covered thirdparty losses resulting from a large-scale computer hacking attack. Until insurers close this gap in policies, insureds will have a basis to obtain coverage under their non-cyber policies (Greenwald, 2012). 6.2.7.4 Travelers Property Casualty Company of America, et al. v. Federal Recovery Services, Inc., et al. Here the District Court of Utah ruled that Travelers has no obligation to defend two service companies (Federal Recovery Services Inc. and Federal Recovery Acceptance Inc.) in a suit alleging they withheld customer information from Global Fitness Holdings, LLC. The judge stated that Travelers CyberFirst policy was not applicable as there was no damage resulting from errors, omissions, or negligent acts. The lawsuit the service firms sought to have Travelers defend against involved none of these insured causes. The facts of the case were the service 220

companies purposefully withheld Global’s member data for money while they were being acquired by LA Fitness, subsequently interfering with the purchase transaction. What is remarkable about this case is that insured companies need to understand that first party claims based on fraud are not covered (Anderson, 2015). 6.2.7.5 Universal Am. Corp. v. National Union Fire Ins. Co. In this case, the insurance carrier denied a claim relating to losses incurred for fraudulent use of the insured’s computer systems. Universal made a claim under their computer fraud policy to cover losses caused by several healthcare providers who accessed their systems and fraudulently processed $18.3 million in bogus Medicare Part D claims. The court ruled that the computer fraud policy applied to wrongful acts in the manipulation of the computer system, i.e., by hackers, but did not cover fraudulent acts by authorized users of their systems. This case highlights why it is important to closely examine insurance policies, including the insuring agreements, definitions, and exclusions. (Wolin & Sessions, 2013). 6.2.7.6 Zurich Insurance v. Sony Here Zurich refused to pay a commercial general liability (CGL) claim related to Sony’s wellpublicized 2011 hacking incident of their PlayStation Online Services stating they had no duty to defend the resulting litigation. Sony claimed that their policy provided for payments in cases where the disclosure of personal data through oral or written publication was a covered event. Zurich disagreed arguing that this provision only applies to Sony employees and not third parties or in this case the hackers that stole the customer data. The judge ruled that a claim would require an act or conduct by the policyholder for the coverage to be in force. What is important about this case is that insured companies should know the differences between first party and third party acts when making a claim (Greenwald, 2014). As these examples clearly indicate, the devil is in the details or in these cases the fine print of their cyber liability policies.

221

6.2.8 Act of War Defense Did You Know? As if insurance companies did not have enough reasons Merck sued more than 20 insurers that to deny a claim, we can add a new one – “hostile and rejected claims related to the NotPetya warlike actions.” Insurance policies generally include an attack, including several that cited the exclusion for acts of war, but not many insureds would war exemption. have thought that ransomware would rise to the level of consideration as an act of war. We are all going to watch Could you company handle a complex lawsuit involving multiple closely the lawsuit filed late in 2018 between Mondelez insurance companies? International and Zurich American Insurance Company. In Mondelez International, Inc. v. Zurich American Source: Insurance Company it is alleged two separate intrusions https://www.nytimes.com/2019/04/1 of the NotPetya virus at different locations caused 5/technology/cyberinsurancepermanent dysfunction of 1,700 servers and 24,000 notpetya-attack.html laptops occurring in June of 2017. Mondelez publicly reported the cost of recovering from the cyberattack was $54 million in the nine months ending in 2017. In October 2018, Mondelez International filed suit against Zurich American Insurance Company. At stake is a $100 million insurance claim for damage caused by NotPetya. Zurich has rejected the claim, and Mondelez is suing for breach of (cyber insurance) contract (Townsend, 2019). Mondelez states that they acquired the cyber insurance policy because it specifically covered ransomware. However, in 2018, Zurich reclassified ransomware as an act of war. Specifically, the Zurich policy excludes “loss or damage” caused by a “hostile or warlike action in time of peace or war” by any “(i) government or sovereign power...; (ii) military, naval, or air force; or (iii) agent or authority of any party specified in i or ii above.” (Townsend, 2019). Tip: Review all policy text changes annually to verify that the terms of your cybersecurity insurance policy has not changed altering your coverage.

6.2.9 Insurable vs Uninsurable Risk Transferring risk is an important concept in risk treatment. The foundation is insurance; understanding what can and cannot be insured is essential knowledge for CISOs and risk managers. While certain risks are insurable, other risks may be uninsurable. Essentially, insurable risks are risks in which an insurance underwriter can project a future loss, which would ultimately lead to a claim. Uninsurable risks are those where an underwriter cannot determine an outcome of a loss, or the loss should be preventable by the insured. For example, losses resulting from fraud of negligence cannot be insured. Figure 6-4 provides an overview of insured versus uninsured risk.

222

Figure 6-4: Insurable vs. Uninsurable Risk

6.2.10 Cyber Risk Insurance Pools As damages for breaches of cybersecurity increase, traditional providers of cyber risk insurance require larger claims reserves. Ransomware attacks have created exceptionally large claims for single loss events. For example, the losses associated with the NotPetya ransomware attack in 2017 on Maersk, FedEx and other companies were estimated by the RMS, a risk modeling company, at $3 billion. Current policy limits and reserves are too restrictive to cover losses of that magnitude for several loss events. Global companies are seeking more coverage; however, the insurance industry is not presently able to provide the coverage large global companies are requesting. The insurance industry is addressing this issue through the creation of cyber risk pools. A cyber risk pool would offer a facility for providing cyber insurance to corporate buyers where capital markets are tapped to fund the risk. Cyber risk pools would allow for larger policy limits for specific use-cases. It can also be a safer way for professionals to learn the cyber risk landscape and become a part of the market. In October of 2018, Singapore’s finance minister announced the launch of the world’s first commercial cyber risk insurance pool, which will be backed by both traditional reinsurance and insurance-linked securities. The Singapore cyber risk pool will commit up to US $1 billion of capacity to the cyber insurance problem. 6.2.11 Silent Cyber Risk Insurance One of the newest issues in cyber risk insurance is “silent cyber risk.” This term describes cyberrelated losses stemming from insurance policies that were not specifically designed to cover cyber risk. For example, an insured leverages their general liability policy to make cyber loss claims. 223

These policies were never intended for that purpose. Insurers have come to realize they have substantial unquantified cyber exposures. This exposure is causing insurance companies to quantify their silent exposure. Insurance rating service Moody’s announced it will start using its credit-rating expertise to evaluate organizations on their risk to a major impact from a cyberattack.

6.3 Data Breach Worksheet Every organization should have a data worksheet with several data loss scenarios on file. Table 6-8 is a simple example of a worksheet to get you started on crating your own. Identify all potential costs associated with a data breach including: • • • • • • • • • •

Business impact losses. Crisis management costs. Customer direct loss reimbursements. Customer goodwill gestures. Digital forensics cost. Infrastructure rebuild costs. Legal costs. Notification costs. Regulatory fines. Security controls enhancement costs.

Did You Know? IBM estimates the average cost per record of a data breach to be $150. 67% of the breach-related costs occur in the first year followed by 22% in year two and 11% after two years. Does your company know the cost per record of a data breach? Source: https://databreachcalculator.mybluemi x.net/

Table 6-8. Data Breach Worksheet Number of Exposed Records

Data Type

Was Data Encrypted?

Where Encryption Keys Stolen?

State Data Breach Notifications

Breach Source

Impact

Class Action Lawsuit Anticipated?

Cost per Record

100

PCI

Yes

No

2

Insider

Unknown

No

$150

1,000

PHI

No

Yes

5

Hacker

Identity Theft

Yes

$150

10.000

PII

Unknown

Unknown

50

Device Loss

Public Disclosure

Yes

$150

6.3.1 Data Breach Calculators One way to determine how much cybersecurity insurance to carry is to use a data breach calculator to estimate the cost of a data breach. There are literally dozens of calculators available, which allow you to quickly estimate the cost your organization faces in the event confidential or sensitive information is exfiltrated. Table 6-9 lists the calculators I have reviewed and used on previous engagements. 224

Table 6-9. Data Breach Calculators Company

Product

URL

At-Bay

Data Breach Calculator

https://www.at-bay.com/data-breach-calculator/

Aon

Cyber Risk Diagnostic Tool

https://www.aoncyberdiagnostic.com/

Doren Mayhew

CYBERCLAW™ Data Breach Calculator

https://doeren.com/services/it-advisory-andcybersecurity/cyberclaw-data-breach-calculator/

Gemalto

Data Breach Risk Assessment Calculator

https://breachlevelindex.com/data-breach-riskassessment-calculator

IBM

The Data Breach Risk Calculator

https://databreachcalculator.mybluemix.net/

NetDiligence

Sample Data Breach Cost Calculator

https://eriskhub.com/mini-calc-usli

Data Breach Calculator

https://blog.vitrium.com/document-securityprotection-drm-blog/how-much-does-a-databreach-cost-a-quick-worksheet

Vitrium

6.4 Compliance Auditing Building a cybersecurity program to comply with legal and regulatory statutes as well as industry standards is only part of the process of developing a cybersecurity law program. The second part of the equation is auditing your program for compliance. Organizations have a fiduciary responsibility to ensure their cybersecurity program is properly governed through a process of checks and balances. Compliance auditing is not concerned with threat and vulnerability assessments, but rather a review of an organization’s adherence to anything where something must be followed. The auditing process looks for areas of material noncompliance owing to fraud, error, omission or operational deficiency. Figure 6-5 presents a model to structure the scope of a compliance audit

225

Figure 6.5. Compliance Auditing Model

Organizations need to pay attention to changes in auditing standards and in particular the new definitions of significant deficiencies and material weakness which have lowered the thresholds for reportable control deficiencies and which can result in an auditor citing a critical audit matter. 6.4.1 Critical Audit Matters (CAM) The Public Company Accounting Oversight Board (PCAOB) published guidance (AS 3101) concerning critical audit matters (CAM) for companies with fiscal years ending on or after June 30, 2019. This new guidance addresses how auditors describe their considerations and concerns over material weaknesses. The goal is to make audit reports more relevant and informative to investors. AS 3101 essential frees auditors to openly discuss concerns about a company’s material weaknesses. Following this new guideline, auditors are required to: • Identify the critical audit matter. • Describe the principal considerations that led the auditor to determine that the matter is a CAM. • Describe how the CAM was addressed in the audit. • Refer to the relevant financial statement accounts or disclosures that relate to the CAM. The release also states that the determination of a CAM should be made in the context of a particular audit, with the aim of providing audit-specific information rather than a discussion of generic risks. It is expected that in most audits to which the CAM requirements apply, the auditor would identify at least one CAM. If no CAMs are identified, the auditor would be required to make a statement to that effect in the auditor’s report. 226

Table 6-10 outlines inadequate information technology and security controls that led to material weakness audit findings. Table 6-10. Material Weaknesses Company Stich Fix Revlon, Inc. Meta Financial Group Costco Office of Personnel Management (OPM)

Year

Material Weakness

Inability to adequately assess controls pertaining to outsourced IT service providers. Lack of design and maintenance of effective controls in connection with the previously-disclosed 2019 implementation of its enterprise resource planning (ERP). Inappropriate user access to information technology 2019 applications. General information technology controls in the areas of user access and program change-management over 2018 certain information technology systems that support the Company’s financial reporting processes. 2019

2017

Extreme risk associated with neglecting the IT security controls of its information systems.

6.4.2 Internal vs. External Auditing Auditing occurs in two primary methods: one is an organization’s internal auditing department, the second is performed by an external auditing firm retained by senior management. Some information security practitioners believe an internal audit is less formal than an external audit; however, both should be treated with equal respect and importance. Both internal and external audits are performed by parties independent of the information security department and report their findings to an audit committee. •

Internal Audit: Typically, organizations will have an internal department staffed by employees completely independent from other departments that report directly to an audit committee. The internal audit group, although primarily focused on financial controls,

227

•

will have one or several employees who have experience in information technology and cybersecurity controls. The internal audit department’s scope and depth of audits are generally dependent on the size of their audit staff. Compliance with legal and regulatory standards and statutes is a prime focus of many internal audit organizations today. Internal audits are used by many organizations to prepare for an external audit. External Audit: Public and private organizations alike retain public accounting firms that are independent companies with no financial or business interests in the organization other than the performance of an audit. Their focus is on verifying the financial statements and risk to the organization. External auditors perform annual statutory audits of an organization’s financial well-being and operational integrity. They issue opinions on an organization’s financial health and risk management. To support their opinions, they will test internal controls to verify they manage or mitigate risk as designed or intended to prevent financial fraud, interference, or error. In some instances, an external auditing firm may perform a review, where no test of controls is performed.

Did You Know? On October 31, 2019, Stich Fix, Inc.’s auditors, Deloitte Touche Tohmatsu flagged a material weakness in IT controls. Stitch Fix couldn’t adequately assess controls pertaining to outsourced IT service providers. Third-party IT service providers could not provide system and organization controls reports that aligned with the company’s fiscal year. That issue was considered material because it could affect account balances and disclosures in Stitch Fix’s financial statements, according to the auditor. Does your company understand the material weaknesses audit standard? Source: https://www.wsj.com/articles/stitchfixs-material-weakness-over-itcontrols-spotlighted-under-new-auditrule11572559214?mod=djemRiskComplia nce

Table 6-11 presents the primary differences between internal and external audits. Table 6-11. Internal vs. External Audits Function

Internal Audit

External Audit

Independence

Internal department

External company

Reporting of Findings

Audit committee

Audit committee

Audit performance

Employees

Public accounting firm

Approach

Review controls

Test controls

Role

Consultant

Accountant

Focus

Risk management

Financial stability

Emphasis

Improve processes

Find faults and failures

Selection

Hired by organization Shareholder vote

Allegiance

Management

Shareholders

Schedule

Ongoing process

Annually

228

6.4.3 Auditing Associations Audits are performed according to auditing standards, of which there are several widely followed international auditing standards. Standards define not only the ethics, rigor, and integrity of an audit but also the mandatory requirements of information assurance and security. Virtually all audit standards contain the same basic principles of auditing concerning common audit language, evidence gathering, testing models, and reporting. Audit standards are primarily concerned with financial reporting; in support of that objective, all audit standards evaluate the security and continuity of an organization’s financial systems. You should be familiar with the specific audit standard used by your internal and external auditors. Once identified, you will then need to determine which information security control framework is referenced by your auditors. Table 6.12 presents the leading auditing associations through the world. Table 6.12. International Auditing Associations Association

Applicability

Standard Name

American Institute of Certified Public Accountants (AICPA)

United States

Statements of Auditing Standards

Confederation of Asian and Pacific Accountants (CAPA)

Pan-Asia

Accounting Maturity Model

Financial Reporting Council (FRC)

United Kingdom The International Standards on Auditing

Institut der Wirtschaftsprüfer in Deutschland e.V. (IDW)

Germany

German Standards on Auditing

North America

International Standards for the Professional Practice of Internal Auditing

International Auditing and Assurance Standards Board (IAASB)

International

International Standards of Auditing

International Federation of Accountants (IFAC)

International

The International Standards on Auditing

The Japanese Institute of Certified Public Accountants (JICPA)

Japan

Japanese Standards on Auditing

Public Company Accounting Oversight Board (PCAOB)

United States

Auditing Standards

The Institute of Charted Accountants of India (ICAI)

India

Indian Accounting Standards

Institute of Internal Auditors (IIA)

229

Summary The volume of data protection disputes could rise by six times within five years according to a 2016 study by the School of International Arbitration at Queen Mary University of London and the Pinsent Masons law firm (Millman, 2016). This startling statistic should compel you to create a cybersecurity law program to prepare your organization to defend against an increasingly probable event – a data breach lawsuit. In this chapter, you have seen examples of a program model, an architecture, and an organization structure. These are the building blocks you will need to begin your project of creating a cybersecurity law program. However, you must keep in mind that even the best thought out cybersecurity law programs cannot deter every lawsuit. This is where cyber liability insurance plays an important role. Creating an important program such as this does not happen overnight; it takes planning, investment, and time. It may be easy to become overwhelmed, but remember that small, steady progress is better than no program at all.

Your Next Step You may be asking yourself, “What is next?” Well, you are in luck. Understanding your current state of readiness is the essential first step. Go to Appendix A and complete the Cyber Tort Readiness Checklist. This will give you real insight into how prepared your organization is to defend against a data breach lawsuit. Next, review the Bill of Materials in Appendix A, which will show you what is necessary to construct your program by providing you an inventory of what you will require. Use the charts in this chapter as your guidepost for design. They will allow you to visualize the result of your efforts in building a program. If you are lacking technology to automate aspects of your program, investigate some of the products I have mentioned throughout various chapters. When you are ready, staff your program using the sample organization chart and RACI diagram provided as your guide. Use the knowledge learned in this book to advise your organization on how to avoid a cyber liability lawsuit, and if your company is sued, be the voice of reason and have confidence you can guide the company to the best possible outcome. Now that you are grounded in what is happening today in cybersecurity and privacy, it is time we look to the future in Chapter 7.

230

References Anderson, R. D. (2015, May 14). Five takeaways from the first cyber insurance case. Retrieved from https://www.advisenltd.com/2015/05/14/5-takeaways-from-the-first-cyberinsurance-case/ DiCanio, M. N. (2015, May 19). Preparing for the inevitable: Insurance for data breaches. New York Law Journal. Retrieved from https://www.law.com/newyorklawjournal/almID/1202726774292/ Finkle, J. (2015, October 12). Cyber insurance premiums rocket after high-profile attacks. Reuters Technology News. Retrieved from http://www.reuters.com/article/uscybersecurity-insurance-insight-idUSKCN0S609M20151012 Greenwald, J. (2012, August 23). DSW Shoe Warehouse wins dispute with Chartis unit over data theft coverage. Business Insurance. Retrieved from http://www.businessinsurance.com/article/20120823/NEWS07/120829934 Greenwald, J. (2014, February 25). Zurich owes no defense in Sony PlayStation hacking: Court. Business Insurance. Retrieved from http://www.businessinsurance.com/article/20140225/NEWS07/140229914 Grounds, A. A. (2015, December 2). 2015 revisions to the Federal Rules of Civil Procedure are now in effect: 5 key practice pointers to meeting the new requirements. Retrieved from http://www.troutmansanders.com/2015-revisions-to-the-federal-rules-of-civil-procedureare-now-in-effect-5-key-practice-pointers-to-meeting-the-new-requirements-12-02-2015/ Harris, B. (2017, July). Legal hold and data preservation: Benchmark survey 2017 results. [White paper]. Retrieved from https://complexdiscovery.com/wpcontent/uploads/2017/08/Zapproved-2017-Legal-Hold-Benchmark-Report.pdf Lavine, J. (2014, January 20). Recall Total Information Management, Inc. v. Federal Insurance Company: Expenditures from data-loss event were not personal injuries. Connecticut Law Tribune. Retrieved from https://www.law.com/ctlawtribune/almID/1202639170141/ Marciano, C. (2016, June 1). How much does cyber/data breach insurance cost? Retrieved from http://databreachinsurancequote.com/cyber-insurance/cyber-insurance-data-breachinsurance-premiums/ Millman, R. (2016, November 21). Legal experts predict 600% surge in data protection disputes. ITPro. Retrieved from http://www.itpro.co.uk/strategy/27612/legal-experts-predict-600surge-in-data-protection-disputes

231

Ramsinghani, M. (2016, May 23). Can startups disrupt the $20 billion cyber insurance market? TechCrunch. Retrieved from https://techcrunch.com/2016/05/23/can-startups-disrupt-the20-billion-cyber-insurance-market/ Sturdevant, M. (2014, October 10). Travelers says liability policy doesn't cover P.F. Chang's data breach. Hartford Courant. Retrieved from http://www.courant.com/business/connecticutinsurance/hc-travelers-p-f-chang-data-breach-20141009-story.html Townsend, K. (2019, January 14). Zurich Rejects Mondelez' $100 Million NotPetya Insurance Claim Citing 'Act of War'. Security Week. Retreived from https://www.securityweek.com/zurich-rejects-mondelez-100-million-notpetya-insuranceclaim-citing-act-war. Wolin, R., & Sessions, L. (2013, October 17). Computer crime insurance coverage: Can it cover fraudulent entries submitted by an authorized user? Lexology. Retrieved from http://www.lexology.com/library/detail.aspx?g=b4ef1d80-6483-4988-9d51524c87695ccc

232

Self-Study Questions The following exercises help you build your cybersecurity law program. 1. Using the Cybersecurity Law Program, inventory all your organization’s artifacts aligned to components and subcomponents. Make note of missing components. 2. Create a Cybersecurity Law Program organization chart. 3. Create a Cybersecurity Law Program RACI diagram. 4. Match your organization’s policy statements to the policy statements represented herein to identify gaps in cyber law policy coverage. 5. Determine whether your organization has adequate precautions in place against evidence spoliation. 6. Map your organization’s data encryption standards to applicable encryption requirements of state, federal and international laws. 7. Run several compliance scans against the inventory of applicable laws to determine if your organization complies with required statutes. 8. Review your organizations cyber insurance policy for hostile and warlike action clauses. Work with your legal department to determine if your organization could make a successful ransomware damage claim. 9. Use the data breach worksheet in table 6-8 as a model to develop a custom worksheet for your own organization. Consider the cost of fines, customer renumeration costs, security improvement, etc. 10. Use several data breach calculators to arrive at a reasonable average cost of a data breach for your organization. Run a range of data loss scenarios.

233

234

Chapter 7

Future Developments in Cybersecurity Law I have shared a brief history of cybersecurity law, discussed the application of law to cybersecurity civil and criminal offenses, and now it is time to look toward the future. As a manager involved with the protection of your organization’s information, you will need the optics to peer around the corner to see what’s ahead in the areas of cybersecurity and privacy. In this chapter, I explore what I believe are the regulatory and technological developments and the global cybersecurity legislative momentum that will shape the future of cybersecurity law.

This chapter will help you to: • • • • •

Understand the impact of emerging legislation on your cybersecurity program. Recognize that technology advancements must be evaluated in the context of the law. See how a trade pact may have a significant impact on how you conduct business globally. Gain an appreciation for international cybersecurity legal frameworks. Develop a global view on cybersecurity and data privacy.

235

7.1 Future of Cybersecurity Legislation The speed at which cybersecurity legislation is evolving requires you to have an eye toward the future to gauge the impacts to your organization’s cybersecurity and privacy programs. The total number of laws of which you must stay abreast, as well as their many amendments, can cause a change control nightmare within your cybersecurity and privacy programs’ policies and practices. In addition, you need to determine how changes in technology will affect how your organization adheres to cybersecurity and privacy laws and regulations. Think about how a single technological change such as the cloud has changed your business model. If you look into the various laws throughout the world, you will see that countries have varied approaches to cyber sovereignty and digital rights. How your company uses information in one country may not be legal in another. The US and the UK have historically dominated cybersecurity law precedent; however, other countries are proving to be more nimble and adaptive when it comes to drafting cybersecurity and privacy legislation. I am often asked, “Which country has the best cybersecurity legal framework?” My answer for years has been Australia. My two principle reasons are 1) their country-wide application of uniform cybersecurity laws, and 2) integration with their Defense Signals Directorate, part of the Australian Department of Defense, for security and privacy practices guidance. Integration with their Defense Signals Directive is important because they publish comprehensive guides on cybersecurity controls and share extensive data on cyberattacks. In the US, we have many competing and overlapping laws, leading to a convoluted cybersecurity legal framework. The US Department of Defense tends to keep its valuable cybersecurity data private. This chapter is my opportunity to share my views on the future of cybersecurity law as well as to highlight international developments that I believe will shape the security and privacy legislative agenda for the future. 7.1.1 Constutionality of Cybersecurity Law As technology changes, so do the interpretations of existing cybersecurity laws. One such example is the case of Sandvig v. Sessions, No. 16-1368 (D.D.C. Mar. 30, 2018). A group of professors and a media organization, which were conducting research into whether the use of algorithms by various housing and employment websites to automate decisions produces discriminatory effects, brought a constitutional challenge alleging that the potential threat of criminal prosecution under the CFAA for accessing a website “without authorization” (based upon the researchers’ data scraping done in violation of the site’s terms of use) violates their First Amendment rights (2018, Neuburger). I expect many interpretations and constitutional challenges to cyberlaw in the future.

236

7.2 Impact of Technology on Cybersecurity Law Advances in technology have the potential to affect cybersecurity law more than any other driver. Some of the technologies you will need to evaluate in the context of cybersecurity law include: • • • •

Internet of Things (IoT). Big data. Cloud computing. Security testing.

You will need to look at your company’s technology roadmap and future vision to assess the impacts of privacy legislation and the application of cybersecurity. For example, if your marketing director tells you he or she is exploring the use of “algorithmic personality detection” for marketing or risk management, would you know if this initiative would break any privacy laws if used to search customer social media feeds? 7.2.1 Legal Implications of the Internet of Things (IoT) If you have not already heard of the Internet of Things (IoT), trust me you will, and a lot. IoT is the expansion of interconnected devices from vehicles, smartphones, and manufacturing equipment to home appliances. It is the new infrastructure for the information society. Anything with an IP address can be connected, thus allowing device sensing and control from anywhere in the world. IoT will drive massive amounts of data that your company can analyze and make informed decisions on throughout the entire lifecycle of your products or services. Analysts at Gartner estimated that 14.2 billion devices would be connected worldwide in 2019, and grow to 25 billion by 2021 (Paul, 2018). Imagine for a moment the significant impact that privacy legislation alone would have concerning information that is personally identifiable, gathered from homes, hospitals, and financial institutions. Let’s fast forward toa time when you live in a world where the ability exists for your car to connect automatically with law enforcement and insurance data clearinghouses. Your IoTenabled car sends speed and location information from your odometer sensor to a central law enforcement database that connects to your local police department to issue you a speeding ticket each time you are detected speeding. And yes, a ticket would show up on your smartphone. What are the privacy implications of that scenario? Another scenario on a positive note would be one in which you pay your car insurance on an insure-as-you-go basis. Here, the insurance company receives information about your driving infractions, where you park, where you drive, as well as how many miles you drive. The insurance company applies risk scoring to every aspect of your driving habit, and your monthly insurance bill is computed based on a usage. For example, if your car is parked most of a month, your risk of an accident is lower than if you spent the majority of the time driving on an interstate highway. 237

These examples and many other advancements leveraging IoT are coming, with the potential result of a substantial impact on cybersecurity law as well as your life. 7.2.1.1 IoT Cybersecurity Regulations The Internet of Things (IoT) encompasses internet-connected devices that are being deployed by the millions each year. Many IoT devices were designed with little to no security accommodations in mind and have experienced targeted cyberattacks. This lack of security has brought IoT manufactures under criticism regarding their lack of security. In an effort to force IoT manufactures to provide suitable security, Federal and state laws have emerged. At the Federal level, S.1691 — Internet of Things (IoT) Cybersecurity Improvement Act of 2017 was introduced. This bill requires Internet-connected devices purchased by federal agencies to meet specified security requirements, including requirements that the devices (1) do not contain known security vulnerabilities or defects; (2) rely on software or firmware components capable of accepting properly authenticated and trusted updates from the vendor; (3) rely only on non-deprecated industry-standard protocols and technologies for certain functions; and, (4) do not include fixed or hard-coded credentials. It is not clear when this bill will pass. Another bill, H.R. 6032 — State of Modern Application, Research, and Trends of IoT Act provides funding the a study on the secure advancement of internet-connected devices. California, not wanting to wait until a Federal bill is passed, passed their own law. California's SB-327 IoT bill, Security of Connected Devices for IoT Security, goes into effect on January 1, 2020. The bill requires that IoT devices are designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure. 7.2.2 Legal Implications of Big Data Big data is large amounts of differently structured data acquired from many sources and deposited in a huge central repository for analysis. The legal aspect enters when many pieces of disparate data, each with its privacy requirements, are commingled into a single location. Big data permits grocery stores to know how to send you the right coupons because large amounts of data about your digital persona are stored and shared among many companies. Concerns about the legal implications of big data caused the US Department of Justice (DOJ) to publish Big Data: Seizing Opportunities, Preserving Values, a study that looked at big data and the law. The study looked at how big data could help law enforcement, but also considered how big data could be abused. The study’s cover letter to the president states “...big data analytics have the potential to eclipse longstanding civil rights protections in how personal information is used ….” (Podesta, Pritzker, Moniz, Holdren, & Zients, 2014).

238

The US DOJ’s concern is not unfounded. We leave a digital footprint of just about everything we do. Big data sensors and collectors exist virtually everywhere, capturing our digital trail, tracking all our encounters and interactions in life to create a 360-degree view of who we are. If your company uses big data, you will need to ensure that the privacy of that information is protected. If you recall from Chapter 3, I discussed the identifiers of data that, if revealed, can be used to compromise personally identifiable information (PII) and protected health information (PHI). Big data makes this more complicated because instead of having, for example, the standard 18 PHI identifiers, you now could have hundreds from many different sources to protect. Some privacy considerations that you should think about with respect to big data include: Are you capturing private information about foreign nationals? Are you violating any amendment rights because of your collection of big data? Are you anonymizing big data to preserve individual privacy? The questions regarding big data privacy are endless. TIP: When many data sets from multiple sources, each with their individualized privacy requirements, are comingled as big data, the easiest way to implement privacy controls is to provide the highest level of identifier protection to all of the big data.

7.2.2.1 Data Broker Cybersecurity Regulations Among the largest users of big data are data brokers; a cyberattack on just one data broker could affect tens of millions of consumers. Data brokers who collect and sell personal data to companies require comprehensive cybersecurity precautions. However, not all data brokers implement safeguards commensurate with the threat. To ensure data brokers protect consumer information, Vermont passed the first state law specifically targeted at their industry. What makes this law different from the many state data breach laws is that this law covers data brokers who don’t have a direct relationship with the consumer. The law applies to any data broker who has data on Vermont citizens regardless of location. Vermont law H.764, passed in May of 2018, protects consumers from credit freeze fees, fraudulent acquisition of data, and it establishes a registry of security standards for the data broker industry. Data brokers are required to register with the state annually and demonstrate they have appropriate cybersecurity controls in place to prevent breach of state citizen data. Data brokers must comply by January 1, 2019. The law requires certain data security requirements including data encryption. 7.2.3 Legal Implications of Cloud Computing The cloud is hardly a new technology; however, advancements in cloud technology are causing concern over data privacy. You may be hosting customer data or your own company’s data in the cloud, but do you know where that data goes? Is cloud data bursting (sent to other locations to meet capacity demand) to countries that have stricter data privacy laws than those to which your data is presently designed to adhere? Is your data hosted in a country that restricts the personal 239

identifiers you are allowed to maintain? These and many other questions must be asked to ensure your cloud computing is not breaking any privacy laws. Balance the economic benefits and processing efficiencies the cloud provides with the law. The contracts for cloud computing that you sign or have your customers sign must outline clearly the legal protection and responsibilities of each party. You will need to ensure that data governance, privacy, security, and access policies conform to each law of the state or country through which that cloud data may pass or reside. Do you know your legal rights specified in the cloud computing contracts you signed? If you host and process data for internal or external customers, you should have a set of recommended customer controls they should deploy to participate in the security and privacy of their data. These controls could be as simple as a policy to keep their access passwords secure or as sophisticated as pre-scanning their data for malware before uploading to your site. 7.2.4 Legal Implications of Security Testing Could you be breaking the law by performing security testing? You just may be if you are not doing it properly. Large organizations have security testing labs where they deconstruct software looking for weaknesses. The problem is that virtually all software is copyrighted and covered by the Digital Millennium Copyright Act (DMCA). I became keenly aware of DMCA’s Section 1201 when developing a large “red team” penetration testing program for a Fortune 500 company. The red team was staffed with expert penetration testers who assumed a fictitious role of a hacker attempting to break into the client’s network and applications. I found that requesting an exemption under DCMA would take too long, destroying the project’s timeline. I went to an alternate plan in which a DCMA violation assessment was performed on copyrighted software products that could cause us to violate the DCMA with our security testing. For those products, we sought consent from the software product owners. This was the right course of action because it was illegal for security researchers to unlock copyrighted software or otherwise circumvent the product’s security measures without the consent of the author or licensor of the software. In late 2014, I heard from some security researcher friends that a movement had begun to attempt to change the language of section 1201. Wondering if anything came from their efforts, I examined the section 1201 rulemaking document recently. I read in this report that many security researchers and academics lobbied the US Department of Commerce to amend section 1201, removing the language making it illegal to perform security testing and search for vulnerabilities. Their efforts paid off because, as of October 28, 2016, the DCMA included a two-year exemption, or more importantly two years of legal protections, for good-faith security testing, reverse engineering, encryption development, and security testing. This is another example of how the law permeates many aspects of your company’s technology and security operations. I recommend providing your security research or applications development team with a copy of this exemption to review what changes if any they need to make to ensure compliance with the DCMA. If you want to read up on all the changes as I did, you can go to the US Copyright Office website at http://www.copyright.gov/title17/92chap12.html. 240

7.2.4.1 Legal Impact on Bug Bounty Programs On September 11, 2019, the California State Senate passed a precedent-setting law that could have a dramatic effect on popular bug bounty programs. The bill known as Assembly Bill 5 (A.B. 5) passed the California Senate and was ratified by State Assembly and signed by the Governor. The law takes effect in early 2020. The bill, originally targeted toward ride sharing companies Uber and Lyft, potentially applies to most contract workers including bug bounty hunters. Under this law, contractors would be afforded the same protections and partial benefits enjoyed by employees. The “ABC test” that came out of the ruling allows for the classification of independent contractors only if employers can verify that: (A) that the worker is free from the control and direction of the hirer in connection with the performance of the work, both under the contract for the performance of such work; (B) that the worker performs work that is outside the usual course of the hiring entity’s business; and, (C) that the worker is customarily engaged in an independently established trade, occupation, or business of the same nature as the work performed for the hiring entity. (Canon, 2019).

241

7.2.4.2 The Legality of Ethical Hacking Did You Know? In September of 2019 two men hired from Coalfire Labs, a cybersecurity firm were arrested for physically breaking into a Dallas County Iowa courthouse after the state’s judicial branch hired them to test the vulnerability of court records. The judiciary branch intended a test of security vulnerabilities of Iowa’s electronic court records not a physical break-in. Does your organization know how to structure rules of engagement for a security test? Source: https://www.desmoinesregister.com/st ory/news/crime-andcourts/2019/09/11/men-arrestedburglary-dallas-county-iowacourthouse-hired-judicial-branch-testsecurity-ia-crime/2292295001/

There is a fine line between legally and illegally hacking an organization and that fine line is a piece of paper. Sanctioned penetration testing or ethical hacking requires both parties agree on the scope of the test including approach, assets involved, confidentiality of results and the concept of do no harm. This agreement is critical to avoid breaking any number of laws involving unauthorized use of computer systems or unauthorized access to information. Legal complications abound when you think about the tests crossing state lines, testers finding or accessing personally identifiable information, encroaching on cloud infrastructure not owned by the test authorizer, etc. The ethical hackers will need their own get out of jail free card signed by the testers, asset owners and any applicable third parties whose property will be accessed.

To ensure ethical hacking remains within acceptable legal boundaries, a scope of work is prudent. This document describes the work to be performed, assets and information accessed, timeframe, as well as the tactics, techniques and procedures used. You should not incur any legal problems if you plan the ethical hacking properly. To read more about the investigation of the Coalfire Labs incident, check out https://www.kcci.com/article/iowasupreme-court-chief-justice-apologizes-over-courthouse-burglaries/29367960# for recent updates. Learning from this case should keep you from running afoul of the law.

7.3 Future US Cybersecurity Legislation Cybersecurity begins at home, which is exactly where I will start. US cybersecurity and privacy legislation is robust, albeit confusing. And, it is about to get even more confusing in light of the over one dozen new pieces of cybersecurity legislation still pending on Capitol Hill. No one knows which of these will become law, but one thing is for sure: it is in your best interest to know what these bills entail so that you can monitor those most applicable to your organization. I also see no end to new cybersecurity and privacy laws, despite the campaign promises of candidates for political offices promising that they will eliminate government regulations. In my opinion and based on recent and pending cybersecurity legislation, this is an area of regulation that is likely to increase. As of this writing the following are active cybersecurity bills worth keeping an eye on with the summary text provided by the respective bill’s sponsors:

242

•

•

•

•

•

•

•

•

H.R.1560 – Protecting Cyber Networks Act: Amends the National Security Act of 1947 to require the Director of National Intelligence (DNI) to develop and promulgate procedures to promote: the timely sharing of classified and declassified cyber threat indicators in possession of the federal government with private entities, non-federal government agencies, or state, tribal, or local governments; and the sharing of imminent or ongoing cybersecurity threats with such entities to prevent or mitigate adverse impacts. H.R.1731 – National Cybersecurity Protection Advancement Act of 2015: Allows DHS to include national cybersecurity and communications integration center (NCCIC) to include tribal governments, information sharing and analysis centers, and private entities among its non-federal representatives. H.R.3664 – Promoting Good Cyber Hygiene Act of 2015: Requires the National Institute of Standards and Technology (NIST) to establish for the federal government, the private sector, and any individual or organization a list of voluntary best practices for effective and usable cyber hygiene to help protect information systems or devices against cybersecurity threats that include unauthorized access, alteration of information or code running on such systems or devices, and unauthorized denials of service. H.R.3873 – International Cyber Policy Oversight Act of 2015: Directs the Department of State to produce a comprehensive strategy, with a classified annex if necessary, relating to US international cyberspace policy, and publicly release such strategy. H.R.3878 – Strengthening Cybersecurity Information Sharing and Coordination in Our Ports Act of 2015: Requires DHS to implement, and evaluate at least every two years, a maritime cybersecurity risk assessment model to evaluate current and future cybersecurity risks. The model must be consistent with the National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity and any updates under the Cybersecurity Enhancement Act of 2014. H.R.5069 – Cybersecurity Systems and Risks Reporting Act: Amends the SarbanesOxley Act of 2002 to apply to cybersecurity systems and cybersecurity systems officers the same requirements regarding corporate responsibility for financial reports and management's assessments of internal control structures and procedures for financial reporting as apply to public companies subject to oversight by the Securities and Exchange Commission (SEC). H.R.5390 – Cybersecurity and Infrastructure Protection Agency Act of 2016: Redesignates the Department of Homeland Security’s (DHS’s) National Protection and Programs Directorate as the Cybersecurity and Infrastructure Protection Agency (CIPA). Requires CIPA to perform critical infrastructure risk assessments to determine the risks posed by particular types of terrorist attacks within the United States, and recommend measures necessary to protect critical infrastructure in coordination with other federal entities and cooperation with nonfederal entities. H.R.6032 – Data Breach Insurance Act: Provides IRS credits for the purchase of data breach insurance. 243

•

•

•

•

•

H.R.6066 – Cybersecurity Responsibility and Accountability Act of 2016: Requires the designation of a senior agency information security officer. Grants more authority to the Director of NIST to publish a cybersecurity framework, conduct research, and perform an annual independent evaluation of cybersecurity programs and major cybersecurity incidents. S.2007 – Federal Cybersecurity Workforce Assessment Act: Requires federal agencies to: identify all personnel positions that require the performance of information technology, cybersecurity, or other cyber-related functions and align to the National Initiative for Cybersecurity Education's National Cybersecurity Workforce Framework. S.2764 – Cyber AIR Act: Requires domestic or foreign air carriers and manufacturers of aircraft or electronic control, communications, maintenance, or ground support systems for aircraft to disclose to the Federal Aviation Administration (FAA) any attempted or successful cyberattack against any system on board an aircraft or against any maintenance or ground support system for aircraft. S.3024 – Small Business Cyber Security Improvements Act of 2016: Authorizes the Small Business Administration (SBA) to make grants to small business development centers (SBDCs) in furtherance of an SBDC Cyber Strategy to be developed by the SBA and the Department of Homeland Security (DHS). S.3295 – National Cybersecurity Preparedness Consortium Act of 2016: Provides for cybersecurity training to state and local cyberattack first responders. Promote cross-sector cyberattack simulations.

In addition to these bills, dozens of amendments have been proposed to existing laws. As you can see, laws exist and are being proposed for virtually every type of company or government organization relating to cybersecurity. The reality is not many of these bills will eventually become law. I also expect some of these laws to converge as they make their way through the legislative vetting process.

7.4 US Foreign Policy on Cybersecurity You may not have thought about the US having a foreign policy on cybersecurity, but we do. Our economic health and prosperity depend on our global trade, and one of the top economic enablers is a secure cyberspace to conduct commerce. Just as your company may be financially impacted from a cyberattack, our economy can be significantly harmed if a nation-state were to launch a cyberattack against our critical financial infrastructure. This requires that our nation have a foreign policy on cybersecurity just as we have a foreign policy on terrorists. The five components of the US government’s cybersecurity foreign policy of which you should be aware are: 1. Secure US Critical Infrastructure – ensure the infrastructure that the US economy relies on is free of foreign cyber attacks.

244

2. Sense and Identify Cyber Threats – maintain the ability to identify and respond to foreign cyber attacks. 3. Build International Cybersecurity Partnerships – work with the nations of the world to ensure a secure Internet. 4. Secure US Government Networks – set clear security protect targets and hold agency heads accountable. 5. Build a Self-reliant and Capable Cybersecurity Workforce – work with the private sector to attract, train, and retain a top cybersecurity workforce. You may have the impression that these components are not very comprehensive, and you would be right, except when you put them in the context of goals. The US government’s foreign policies are meant to serve only as goals supported by Presidential Orders and Directives. Table 5-1 provides a summary of the Presidential Orders and Directives that support our nation’s cybersecurity foreign policy. Table 7-1. Presidential Orders and Directives Year

Directive or Order

President

Subject

2019

Executive Order 13873

Donald J. Trump

Securing the Information and Communications Technology and Services Supply Chain

2019

Executive Order 13870

Donald J. Trump

America's Cybersecurity Workforce accountable for managing cybersecurity risk to their enterprises, which includes ensuring the effectiveness of their cybersecurity workforces.

2017

Executive Order 13800

Donald J. Trump

Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure

2016

Executive Order 13718

Barack Obama

Commission on Enhancing National Cybersecurity

2015

Executive Order 13691

Barack Obama

Promoting Private Sector Cybersecurity Information Sharing

2015

Executive Order 13694

Barack Obama

Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities

2014

Executive Order 13681

Barack Obama

Improving the Security of Consumer Financial Transactions

2014

Presidential Policy Directive 28 (PPD-28)

Barack Obama

Protection of Signals Intelligence Activities to reduce the potential of disclosure.

2013

Executive Order 13636

Barack Obama

Improving Critical Infrastructure Cybersecurity to reduce cyber intrusions.

245

Year

Directive or Order

President

Subject

2013

Presidential Policy Directive 21 (PPD-21)

Barack Obama

Critical Infrastructure Security and Resilience to strengthen and maintain secure, functioning, and resilient critical infrastructure.

2011

Executive Order 13587

Barack Obama

Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information to ensure national security.

2009

President directed a 60-day, comprehensive, “clean-slate” review

Barack Obama

Cyberspace Policy Review of security related policies and directives to validate their relevancy.

Note: Links are current as of February 10, 2020. To see how some or all of these orders and directives support the US foreign policy on cybersecurity, I recommend you review the White House site at https://obamawhitehouse.archives.gov/issues/foreign-policy/cybersecurity.

7.5 National Association of Insurance Commissioners (NAIC) Model Cybersecurity Law The insurance industry has been inexorably linked to cybersecurity law for some time now. Many companies carry some form of data breach insurance, subsequently placing insurance companies in the position of paying for these breaches. You may recall cyber liability policies from previous chapters. In Chapter 6, I cover these types of policies in more detail. To show leadership for their insured, the National Association of Insurance Commissioners (NAIC) adopted a model law to hold licensed insurance companies to the highest standards and practices of protecting information. On October 24, 2017 the NAIC formally approved the Insurance Data Security Model Law (model law). The NAIC is a standard setting and regulatory support organization consisting of the top insurance regulators from the 50 states, District of Columbia, and five U.S. territories. Figure 7-1 is a graphical depiction of the model law.

246

Figure 7-1. NAIC Model Law

I have followed the development of this model law as several of my clients are insurance companies. What I found interesting is that this law, which was initially positioned as the exclusive standard for data security and breach investigation for insurance companies, has now become rather bland. I saw this coming when I reviewed the last model draft; I noticed a substantial softening of the previous hard stand on required controls and enforcement. I suspect a lot of the changes resulted from lobbying by state insurance commissioners, who charter insurance companies to operate in their states. Their concerns likely involved how the model law could conflict with existing state safety and soundness requirements as well as duplication with state data breach laws. They likely already feel they are over-regulated when it comes to cybersecurity. I originally saw this model law as a harbinger to insurance companies requiring their policyholders to comply with the model law to obtain cyber risk insurance. Based on the number of lawsuits between insurance companies and cyber liability policyholders, this model law could have served as a baseline of minimum cybersecurity standards on which to base policy underwriting decisions. I always felt that the NAIC hoped to remove the confusion regarding the proper standard of care to protect personal information reducing insurer- policyholder lawsuits. If you are in the insurance industry, you may find it helpful to review my summary of the model law: •

The model law does not supersede any state data breach laws; however, the law that affords the most consumer protection is to be followed. This represents a compromise from the exclusive standard originally proposed.

247

•

• •

•

Licensees have the exclusive right to oversee the cybersecurity capability of their third party service providers and will be responsible for any third party failures to protect personal information. This is the strongest provision of the model law. Originally, the model law specifically required licensees follow NIST security standards; however, it has changed to accepted cybersecurity programs. Originally licensees would have been required to participate in an Information Sharing and Analysis Center (ISAC); this has now been changed to accepted cybersecurity principles to share information. The draft removes much of the enforcement provisions including judicial review, monetary penalties, and cease and desist orders. This removal is likely due to duplication with numerous state data privacy laws.

If you work for an insurance company, you will have yet another law with which to comply. However, you will now also have the challenge of mapping this law with each of the states where your company operates to know which portion of the model law applies in comparison to each state’s data protection laws. As of September 2019, only five states have adopted the model law as part of their state insurance commission’s cybersecurity regulation. One of those states, South Carolina, imposed a new breach notification and information security law covering entities authorized to operate under the state’s insurance laws based on the NAIC model law. The South Carolina Insurance Data Security Act (“Act”) is at the forefront of a movement towards consistent cybersecurity laws (S. Goldstick, J. Rathburn & A. Tantleff, 2019).

7.6 Harmonization of International Cybersecurity Laws The global economy relies on free trade to fuel economic growth ensuring the world has continued financial health. Many of the world’s largest economies are inexorably linked to the point that when countries like China or Greece have a financial hiccup, the world’s financial markets reel sending a seismic economic shiver throughout the financial world. What would happen to the global financial markets if a cyberattack were launched against the world’s financial infrastructure? The results could very well cause their own economic seismic shock. Cooperation between trade countries in the area of cybersecurity to reduce the risk of such an attack is an economic security imperative. What is revealed by the hundreds of cybersecurity, privacy, and data protection laws enacted worldwide is that countries differ significantly on what and how data should be protected. These differences must be reduced through the harmonization of cybersecurity legislation. Not only will this harmonization enable free trade, but it will also ensure the security of trade activity. 7.6.1 Cybersecurity Law and Trade Pacts To promote this trade, countries negotiate trade pacts to facilitate and balance trade between economic zones or specific countries. The world economy has evolved into two factions: 248

• •

Those that manufacture goods. Those that are information-based and produce services.

Connecting these two factions is information technology; acknowledgment of this can be found in virtually every trade pact ratified in the past 20 years. Trade cannot occur without electronic payments, sophisticated applications, and the protection of intellectual capital. With shared customers, multi-country manufactured goods, and cloud-based services, the global economy has placed the world’s goods and services on the doorstep of Main Street. And the enabler to all this is and will continue to be cybersecurity law. To underscore the importance of cybersecurity to the US let’s look a little closer at economic data. According to the US Department of Commerce, 81 industries out of the 313 tracked are intellectual property (IP) driven, generating over 27 million jobs. These IP-driven industries generate $6.6 billion or 38.2 percent of the US gross domestic product (GDP) (Antonipillai & Lee, 2016). For this number to grow, the US will need to expand trade pacts, subsequently requiring cybersecurity to enable IP-driven growth. 7.6.2 Harmonization of Cybersecurity and Privacy Law However, without the harmonization of these laws, the globally economy risks turning into a factional economy where only those countries who can agree on shared ideals of protecting information will trade. Harmonization of cybersecurity and privacy law is not only inevitable but tantamount to a healthy global economy. Harmonization of laws is the process of aligning and rectifying legislative disparities so that countries can trade goods and services on an even basis knowing that information exchanged is equally protected and that the integrity of their IP is maintained. What this means for cybersecurity at the very least is that computer security terminology must be normalized as well as the definitions of privacy. We need to begin at least by speaking the same language. In the extreme, agreements must be made on how to globally enforce cybersecurity legislation with supporting global rules of procedure for criminal and civil cases. One of the impediments that I can see to normalizing personal privacy attributes is human rights protections. Countries such as China, Pakistan, and others use cybersecurity laws to prevent freedom of speech and invade personal privacy rights to further carry out their governments’ oppressive control. With the issue of human rights and confidentiality looming, the US, as well as other democratic countries, will find it difficult to enter into unilateral cybersecurity and privacy laws or agreements. 7.6.3 Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP) Cybersecurity Framework Originally billed as the Trans-Pacific Partnership (TPP), a consortium of 12 countries sought to strengthen economic ties for nations bordering on the Pacific Ocean. In 2017, the United States pulled out from the TPP. Once the US pulled out, the remaining 11 nations continued forward, 249

and the agreement was renamed the Comprehensive and Progressive Agreement for TransPacific Partnership (CPTPP). CPTPP went into effect on December 30, 2018 and although a separate treaty, it incorporates, by reference, the provisions of the original Trans-Pacific Partnership (TPP). I was eager to download a copy of the agreement to see how cybersecurity was treated. Chapter 14, Electronic Commerce, was exactly what I was looking for – an entire section dedicated to cybersecurity. After reading this chapter, I can provide you with a glimpse into the future of cybersecurity agreements. I was pleasantly surprised to see a uniform definition of personal information. Within TPP, “personal information means any information, including data, about an identified or identifiable natural person” (Office of the US Trade Representative. (2016, Article 14.1). This definition remains in CPTPP. As previously discussed concerning the harmonization of cybersecurity laws, arriving at a cybersecurity language framework will be crucial to achieving a global framework on cybersecurity law. CPTPP offers the first step where the following 11 nations have aligned on a definition of personal information: Australia, Brunei, Canada, Chile, Japan, Malaysia, Mexico, New Zealand, Peru, Singapore, and Vietnam. If your company does business with any of these countries, I recommend you read Chapter 14, Electronic Commerce, to see how CPTPP may impact how you approach cybersecurity with any of your trading partners or customers. Chapter 14 of this agreement contains articles which I believe have the potential to shape the future of international cybersecurity and privacy law harmonization. Below is the exact text (and my own paraphrasing and summaries) from the CPTPP relating to the cybersecurity articles along with my forecast of impact: •

Article 14.5: Domestic Electronic Transactions Framework – Requires each party maintain a legal framework governing electronic transactions consistent with the principles of the United Nations Commission on International Trade Law (UNCITRAL) Model Law on Electronic Commerce (United Nations, 1999), or the United Nations Convention on the Use of Electronic Communications in International Contracts (United Nations, 2007). My prediction is that what we will likely see here is a formalization of security frameworks backed by the force of law by each of the parties relating to: o The legal value of computer records. o Stringent standards for protecting computer records. o Certifying and preserving computer records. o Message authentication. o Technical security devices. o Non-repudiation of messaging. Forecast: Participating countries will adopt a unified security framework based on some portions of the UNCITRAL model. The security framework will require modernization to 250

reflect current and future technologies. Ratifying countries will enforce the provisions of TPP and the security framework through their respective laws and regulations. •

Article 14.6: Electronic Authentication and Electronic Signatures – Requires that each party accepts digital signatures in the same manner as physical signatures and prevents parties from requiring a judicial review of signatures to prove authenticity. Forecast: Will create the need to adopt a digital signature standard (DSS) and uniform legal ratification of national jurisdictions. A reasonable standard could be adopted by the US with our FIPS PUB 186-4, Federal Information Processing Standards Publication – Digital Signature Standard (DSS). Software companies will create a DSS platform supporting language and character localization of digital signatures.

•

Article 14.8: Personal Information Protection – Requires each party adopt or maintain a legal framework that provides for the protection of personal information leveraging privacy guidelines from relevant international bodies. The legal aspects of privacy will be further enunciated by: o Adopting practices to protect individuals from privacy violations. o Prescribing how individuals can pursue privacy violation remedies. o Publishing how business can comply with any legal requirement. o Promoting compatibility between privacy legislation. Forecast: Will bring forth the identification and ratification of one or two internationally accepted privacy frameworks to form safe harbor provisions for companies following and abiding by the Safe Harbor provision. The likely candidate for this framework is the Organisation for Economic Co-operation and Development (OECD) (2013) Privacy Framework based on the fact that seven of the largest TPP countries are currently OECD members (Organisation for Economic Co-operation and Development, 2016).

•

Article 14.11: Cross-Border Transfer of Information by Electronic Means – Requires parties to allow the cross-border transfer of personal information. Forecast: Will foster an agreement or pact backed by the force of individual national laws for the adoption of uniform privacy preserving measures for data-in-transit, data-atrest, and data residing in the cloud.

•

Article 14.14: Unsolicited Commercial Electronic Messages – Requires parties to maintain measures to restrict and limit unwanted electronic messages such as the type in spam. Recourse will be available to parties initiating the unwanted electronic messages. Forecast: Adoption of a Trans-Pacific spam law based on a uniform framework implemented by each nation’s Internet service providers and telecommunication providers. The law would contain a standard definition of offenses and consistent penalties and memoranda of extradition.

251

•

Article 14.15: Cooperation – Requires companies to cooperate and share experiences in personal information protection, regulation, consumer protection, security, authentication, and other related matters. Forecast: Lays the groundwork for the creation of a Trans-Pacific Information Sharing and Analysis Center (ISAC) deployed within one of the 12 nations and staffed with multi-nation cybersecurity and privacy experts.

•

Article 14.16: Cooperation on Cybersecurity Matters – Requires parties to establish national incident response and malware detection and alert capabilities to address cybersecurity and cyberattack events. Forecast: Lays the groundwork for the formation of a Trans-Pacific computer emergency response team (CERT). The CERT would maintain a malware lab to investigate and create mitigation capabilities for zero-day vulnerabilities.

The TPP will provide an unprecedented opportunity to draft a pact or series of cybersecurity agreements that may very well usher in the age of global cybersecurity law harmonization. TIP: Evaluate the TPP in relation to the countries where your organization conducts business. Flag the laws of those countries for legal alerts to gain insight whether the TPP will influence their legal provisions.

7.6.4 Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules (CBPR) System Throughout the world, countries are leveraging existing economic development agreements to protect the interests of their member countries’ information in order to bolster trade. One such agreement is the Asia-Pacific Economic Cooperation (APEC), a regional economic forum established in 1989. APEC’s 21 members (Australia, Canada, Chile, China, Japan, Mexico, United States, etc.) strive to bring regional prosperity through balanced growth and shared economic policies. APEC recognized a key tenet of growth is the integrity of information flow within the region. To protect this information and ensure the privacy of citizens within the region, APEC established a data privacy framework in 2011. Known as the Cross-Border Privacy Rules (CBPR) System, the CBPR is a voluntary accountability-based data privacy scheme to facilitate privacy by respecting personal information flows among APEC economies. CBPR has four main components: 1. Establish criteria to become recognized as a CBPR accountability agent. 2. Establish a process for information controllers to be certified as APEC CBPR system compliant by a recognized accountability agent. 3. Establish assessment criteria for use by accountability agents when reviewing whether an information controller meets CBPR criteria. 4. Establish enforcement of CBPR in conjunction with Privacy Enforcement Authorities participating in CBPR (APEC, 2019). 252

Last revised in 2015, the APEC Privacy Framework benefits consumers and business alike by ensuring that regulatory differences do not block businesses’ ability to deliver innovative products and services. Significantly, the CBPR System was recognized in the new trade agreement among Canada, Mexico and the United States demonstrating the trade benefits of cooperating on these issues. Further, Japan has recognized the CBPR System to enable crossborder data transfers in compliance with domestic law. As of November of 2019, only 30 organizations including Apple, Cisco Systems, Inc., General Electric, Hewlett-Packard, Inc. IBM, Mastercard International have certified under CBPR. Through the CBPR System, certified companies and governments are working together to ensure that when personal information moves across borders, it is protected in accordance with the standards prescribed by the system’s program requirements and is enforceable across participating jurisdictions. The CBPR System protects personal data by requiring: •

•

•

•

•

•

•

Enforceable standards: To join, participating economies must demonstrate that CBPR program requirements will be legally enforceable against certified companies. Accountability: To become certified, a company must demonstrate to an Accountability Agent – an independent CBPR System-recognized public or private sector entity – that they meet the CBPR program requirements, and the company is subject to ongoing monitoring and enforcement. Risk-based protections: Certified companies must implement security safeguards for personal data that are proportional to the probability and severity of the harm threatened, the confidential nature or sensitivity of the information, and the context in which it is held. Consumer-friendly complaint handling: Accountability Agents receive and investigate complaints and resolve disputes between consumers and certified companies in relation to non-compliance with its program requirements. Consumer empowerment: Certified companies must provide consumers with the opportunity to access and correct their personal data.Further, by publicly certifying to the CBPR System’s requirements, consumers gain insight into the privacy practices on business with which they choose to do business. Consistent protections: While governments may impose additional requirements with which certified companies must still comply, all participants must agree to abide by the 50 CBPR program requirements, facilitating the implementation of the same baseline protections across different legal regimes. Cross-border enforcement cooperation: The CBPR System provides a mechanism for regulatory authorities to cooperate on the enforcement of program requirements. (APEC, 2019)

Figure 7-2 shows the CBPR process.

253

Figure 7-2: CBPR Process

Table 7-2 presents accountability agents for some of the main members of the CBPR. Table 7-2 Accountability Agents Country Japan Singapore

Accountability Agent • Japan Institute for Promotion of Digital Economy and Community (JIPDEC) • Infocomm Media Development Authority (IMDA)

• Schellman & Company • TrustArc, Inc. Note: Links are current as of February 10, 2020. United States

7.6.5 US-Mexico-Canada Agreement (USMCA) As a replacement to the North American Fair Trade Act (NAFTA) – H.R 5430, the USMCA encourages ratifying counties to endeavor to employ, and encourage enterprises within its jurisdiction to use, risk-based approaches that rely on consensus-based standards and risk management best practices to identify and protect against cybersecurity risks and to detect, respond to, and recover from cybersecurity events. Specific articles of information security and privacy are outlined in Chapter 19: • • • •

Article 19.6: Electronic Authentication and Electronic Signatures Article 19.7: Online Consumer Protection Article 19.8: Personal Information Protection Article 19.15: Cybersecurity

I encourage anyone with interests in the countries covered by the USMCA to review Chapter 19 located at https://usmca.com/digital-trade-usmca-chapter-19/.

254

7.6.6 Cyberbalkanization Laws Countries such as China, North Korea and Russia have passed laws or government edicts and developed capabilities to control the access their citizens have to the Internet. Cyberbalkanization countries require as well as force Internet Service Providers (ISPs) to route Internet traffic to government owned and controlled network nodes or an alternate domain name services (DNS). Essentially what has been created is a sovereign Internet that can be disconnected from the actual Internet to quash public discontent or suppress attacks originating outside of their sovereign Internet. 7.6.7 Data Localization Laws Data localization is a way of storing data within the physical boundaries of a country. For instance, the data which has been generated in China should be stored within the physical boundaries of China. Some countries also demand that the company creating and transmitting this data should have a physical presence within the geographical boundaries. The main reason behind the push in data localization laws has been the increasing concern about how the security and privacy of data will be maintained once it has crossed international borders. Russia began enforcing domestic data storage standards in 2015, forbidding Russian citizens’ data to leave the country. Data localization can be mandated by national laws that explicitly require data on citizens to be stored on servers physically located within national borders. In some jurisdictions, such as the European Union, the burden of complying with data protection regulations surrounding cross-border transfers can be so great that in-country data storage and processing become an attractive, cost-effective alternative. In countries where data localization is not explicitly required by national law, public opinion and enterprise customers of data storage technologies strongly favor in-country data storage solutions. Table 7-3 presents a sample of data localization laws by country.

255

Table 7-3. Data Localization Laws by Country Country Australia Canada China

Germany

Law Personally, Controlled Electronic Health Record Provision Two provincial personal information laws: Nova Scotia and British Columbia Guidelines for Personal Information Protection within Public and Commercial Information Systems Telecommunications Act

Greece

National Data Sharing and Accessibility Policy

Hong Kong

Section 33 of the Personal Data Privacy Ordinance

India

National Data Sharing and Accessibility Policy

Indonesia

Regulation No. 82: Information and Electronic Transaction Law

Kazakhstan

Amendments to Certain Legislative Acts on Informatization Personal Data Protection Act

Malaysia Mexico

Ley Federal de Protección de Datos Personales en Posesión de los Particulares

New Zealand

Commissioner of Inland Revenue

256

Summary Restricts the exportation of any personally identifiable health information. Restrict the exportation of any personal data collected by or for public bodies. Prohibits the overseas transfer of data without express user consent or government permission. Requires telecommunications providers to store meta data for a specified period within country borders. Data generated and stored on physical media, which are located within the Greek territory, shall be retained within the Greek territory. Prohibits the transfer of personal information outside of Hong Kong, like GDRP. Requires all data collected using public funds to be stored within the borders of India. Mandates that any company which provides internet-enabled services directly to the consumer must locate their data centers within country borders. Require that all personal data collected within Kazakhstan be stored within the country. Personal information regarding citizens must be stored on local servers. Permits cross-border transfers of personal information, provided that the data subject gives informed, prior consent. Requires that electronic business and tax records must be stored locally.

Nigeria

Russia

Guidelines for Nigerian Content Development in Information and Communications Technology Russian Federal Law No. 242FZ

South Korea

Korean Network Act

Turkey

E-Payment Law

United Sates

DoD Interim Rule on Network Penetration Reporting and Contracting for Cloud Services

Vietnam

Decree of Information Technology Services

Venezuela

Articles 28 and 60 of the Constitution

Require that all consumer and subscriber data collected by companies in Nigeria be hosted within country. Compels data operators to store citizen personal data only within country boundaries. Requires digital communications providers who hold South Korean data, but who have no physical presence in the country, to establish a domestic representative to deal and monitor data protection issues. Requires companies that provide epayment services to conduct all data processing within country borders. Require that all cloud computing service providers that work for the DOD store DOD data within U.S. Territory. Mandates that all companies that provide a range of different internetenabled services maintain at least one server within country borders. Requires in-country processing of domestic payment transactions.

7.6.8 Singapore Payment Services Act Recognizing the new risks arising from technology such as crypto currencies, some foreign monetary authorities are passing regulations to protect consumers from fraud and abuse resulting from emerging digital payment platforms and currencies. One such monetary authority is the Monetary Authority of Singapore (MAS). On January 14, 2019, MAS passed the Payment Services Act (PS Act). The PS Act is designed to require licensing and regulation of payment service providers. One of the fundamental goals of the Act is to combat the risk of payment services being used for any illicit activities. Any license holder will need to comply with the various anti-money laundering (AML) and countering the financing of terrorism (CFT) regulations. The act also has language requiring under certain situations to set up cybersecurity procedures to reduce technological and cyber risks. Part 7: Regulatory Risk (4) – Technology and Cyber Risk of PS Act includes specifications for: •

33.1 – Guidelines for IT risk management principles and best practices following a robust technology risk management (TRM) framework. 257

• • •

33.2 – Requirements for cyber hygiene practices to mitigate the growing risk of cyber threats. 34.1 – Requirement for maintaining high availability, recoverability, data protection and incident reporting. 35.1 – Strengthen technology controls and processes.

If you want to learn more about the PS Act, checkout the FAQ located at https://www.mas.gov.sg/-/media/MAS/FAQ/Payment-Services-Act-FAQ-4-October-2019.pdf.

7.7 Aligning the Law of the Sea to Cybersecurity Law The concept of the Law of the Sea has been around Did You Know? since 1958, and after many iterations, a formal In June of 2017, US Maritime convention, the United Nations Convention on the Law Administration filed an incident report reporting that 20 vessels in the Black of the Sea (UNCLOS) was drafted and open for signing Sea were victim of a mass GPS in 1982, going into force in 1994. To date, over 100 spoofing attack. Twenty ships found nations have signed the Convention (United Nations, their GPS’ reporting inaccurate 1982). Most of us who have ever watched television coordinates. The ships impacted news have heard about countries having the right to verified their GPS’ were in proper working order; however, they were still claim, as sovereign, territory 12 nautical miles off their 20 miles off course from their coast. Second to this is another 200 nautical miles that expected position. Russia is the can be classified as an economic zone – think fishing, suspected bad actor behind these mining, and recreation. Between all of that is the high attacks. seas where pirates exist. The high seas have often been Source: https://maritimecompared to cyberspace, and it is what can happen on executive.com/editorials/mass-gpsthe high seas considering the Law of the Sea that has often been compared to cybersecurity law. In UNCLOS, spoofing-attack-in-black-sea each country can apply their interpretation to passage on the high seas and how they defend themselves and others. There is a growing argument that cyberspace can be treated the same way as the high seas and that countries have the right to defend themselves against cyberattack. The United Nations (UN) Division for Ocean Affairs and the Law of the Sea is a good source for more information: https://www.un.org/Depts/los/convention_agreements/convention_overview_convention.htm. In 2009, the US Coast Guard and the Department of Homeland Security jointly issued a Port Security Advisory entitled Guidance on Self-Defense or Defense of Other by US Flagged Commercial Vessels Operating on the High-Risk Waters. The advisory states that use of lethal force is permitted in self-defense or to defend others when you believe an imminent danger of death or great bodily harm exists; non-deadly use of force is permitted in self-defense or defense of others as well as in defense of the vessel and its cargo from theft or damage; and concerning the protection of property, force may only be used to defend the vessel and its cargo when authorized by the vessel’s master (US Department of Homeland Security, 2009). 258

Some legal scholars and cybersecurity experts are making the point that governments and businesses have the right to defend themselves against a cyberattack using the principles of the UNCLOS. In fact, the US and UK have already made public declarations that under certain conditions they may retaliate against a cyberattack. Applying provisions of UNCLOS to businesses under cyberattack may provide the legal basis to enable companies with the resources to protect themselves when under cyberattack. I believe that there will soon be a precedent case where a US company fights back while under cyberattack. The FBI already suspects private companies of hiring security companies to retaliate against those who attack first. In 2013, JPMorgan Chase came under the FBI’s scrutiny when coincidently it was reported that hackers took down the same Iranian servers that were purportedly used to attack the bank’s infrastructure – an action for which the company is said to have advocated in a meeting with the US government in 2013 (Mott, 2014).

7.8 Cybersecurity Law in Outer Space Did You Know? NASA Astronaut Anne McClain has been accused of identity theft and improper access to private financial records. The astronaut allegedly hacked her estranged spouse’s bank account from Space while on the International space station. Source: https://www.forbes.com/sites/daveywi nder/2019/08/25/nasa-astronautaccused-of-hacking-bank-accountfrom-space/#562e31ca54e9

In case you are chuckling at this topic, hold your laughter until I tell you that now you can receive a oneof-its-kind Master of Laws (LL.M.) degree from the University of Nebraska in space, cyber, and telecommunications law. If you are still chuckling, consider that in 2008 cosmonauts on the International Space Station discovered a virus (W32.Gammima.AG) that shot up to the space station on a Russian laptop (Powell, 2008).

Most of us probably don’t think much about cybersecurity law in space, but it could become a problem, especially in light of the growth in private space commerce. Think for a moment about what is floating around in space – technology, satellites, rockets, vehicles, space stations, and other space-based systems. Each of the countries which sends its astronauts to the space station brings its own technology. What would happen (again) if any one of those computers was infected with a zero-day vulnerability? A zero-day vulnerability is a computer vulnerability that is not known in advance. Much of the world’s air and maritime transportation, weather data, military communications, and financial communications rely on space technology. Imagine the consequences of a cyberattack against a satellite. Well, you won’t have to imagine it, since this has happened, in 2014, when US satellites fell victim to a major Chinese cyberattack (Johnson, 2014). No shortage of threat vectors exists when you consider the over 1,200 satellites circling space from 60 different countries (Meyer, 2016). The basis for any cybersecurity law applying to space would likely need to be forged on the 1967 Treaty on Principles Governing the Activities of States in the Exploration and Use of Outer 259

Space, Including the Moon and Other Celestial Bodies. After reading this treaty, I believe the following articles provide the best basis for cybersecurity law in space: • • •

• • •

•

Article III: This section specifically calls out the rule of international law and acting in the interest of security. Article IV: Parties to the treaty will not place any weapons into orbit. This can easily be interpreted as cyberattack weapons. Article V: Any phenomena discovered in outer space that constitute a danger will be reported. This can be interpreted as cyberattacks or cybercrime. The article also mentions rendering all possible assistance to astronauts. One could conclude this may apply to a space-based CERT. Article VII: This article calls for international liability for damage to another state party. This language mirrors language in cybersecurity legal recourse laws. Article VII: In one of the clearer points of responsibility law, the article states that whoever launched the personnel into space has jurisdiction over them. Article IX: The concept of harmful interference is described here, and that consultation or other form of intervention may be required. This could be construed as nations not releasing malware, willfully or unwittingly, on other nations’ equipment. Article XII: In this article provisions are discussed taking maximum precautions to avoid interference with normal operations. This could very well apply to the adoption of a security controls framework for space station equipment.

I believe that various provisions of the UNCLOS could be applicable in addressing cybersecurity law in outer space. If outer space is used for cyber warfare, the Tallinn Manual, discussed further in the next section, addresses that scenario. Specifically, Rule 3 of the Tallinn Manual states that cyberinfrastructure in outer space is subject to the jurisdiction of the flag state or the flag of registration. Like a ship’s registry, a spaceship’s registry allows the vessel to assume the nationality of the country registered, inheriting its laws.

7.9 The Law of Armed Conflict in Cyberwar Armed conflict has already occurred as evidenced by the crippling hacking attacks against Estonia in 2007 and Georgia in 2008 during their war with the Russian Federation. Another example is the 2010 cyberattack by the US against Iran’s nuclear facilities with the Stuxnet worm (Sanger, 2012). I remember these incidents as if they were yesterday from my involvement with some European and utility customers that used these examples as risk simulations. Article 51 of the UN Charter, the provision for a country to use self-defense including the use of force, applies in the event a cyberattack reached the level of an armed attack. Organizations such as the UN and NATO consider an attack as reaching the level of armed attack when a cyber attack is launched against a country’s critical infrastructure.

260

Under an armed conflict law in cyberspace, nations Did You Know? could conduct offensive cyberattacks against aggressor Since 2014, Russia has been using states that have attacked them. The concept of this the Ukraine as its test bed for proposed law includes provisions to prohibit attacks cyberattacks perfecting its against critical infrastructure or civilian targets. In 2013, cyberweapanary. The war in eastern Ukraine has given Russian-affiliated the Tallinn Manual on the International Law Applicable hackers the opportunity to perfect to Cyber Warfare was published, which reflected the their ability to launch cyberattacks opinions of 20 noted experts on the question of cyber with a series of major intrusions in warfare. The Tallinn Manual was written over the Ukraine over the past few years. Source: period of 2009 to 2012 at the invitation of NATO https://www.politico.eu/article/ukraineCooperative Cyber Defense Centre of Excellence. cyber-war-frontline-russia-malwareVersion 2.0 of the manual was published in late 2017. attacks/ These experts unilaterally agreed that the law of armed conflict applies directly to cyber warfare and in fact, conventional laws of the battlefield wholly apply. Within the manual, Rule 30 defines a cyberattack as a “cyber operation, whether offensive or defensive, that is reasonably expected to cause injury or death to persons or damage or destruction to objects” (Schmitt, 2013). The manual has 95 rules of cyberwar covering such areas as: • • • • • • • •

Participation in armed conflict. Conduct of hostilities. Means and methods of warfare. Conduct of attacks. Blockades. Detained persons. Occupation. Neutrality.

It is my opinion that, in the US, just as the Naval War College and the National War College have introduced some aspects of cyberwar training, there may soon be a dedicated Cyberwar College to train civilians and military personnel in the art of cyberwar. This will likely be accelerated once the US foreign policy is determined on the issue of cyberwarfare.

7.10 North Atlantic Treaty Organization (NATO) Cyberlaw Stance In 2016, NATO recognized cyberspace in the same manner as it does land, sea, and air, and has affirmed that international law applies in cyberspace (Lin, 2016). I believe that shortly we will see NATO military resources coming to the aid of treaty countries to defend their sovereign cyberinfrastructure in the same manner they would in repelling a foreign aggressor from attacking a treaty member’s homeland. Further expanding this commitment to protect cyberspace is NATO’s signed Technical Arrangement on cyber defense cooperation with the European 261

Union in February 2016. NATO is also intensifying its cooperation with industry, via the NATO Industry Cyber Partnership. NATO has emphasized cyber defense as part of its mission within legal principles and the rule of law. I believe it will be difficult for NATO to do much in the area of cybersecurity attack intervention because it must adhere to a complicated legal environment comprised of national law, transnational law, European Union law, and international law. To be successful, NATO will need to create a cyberwar legal framework that harmonizes these disparate laws.

7.11 United Nations – Universal Cybersecurity Legal Framework The UN has been actively involved in drafting a legal framework for cybersecurity since 2004. Its efforts began with the formation of four groups of government experts (GGEs) whose members examined the threats and vulnerabilities to operating in cyberspace and offered cooperative measures that nations could adopt. Since then, GGEs have assembled to refine the original cooperative measures. The resulting efforts of the most current GGE report is UN Resolution 70/237: Developments in the field of information and telecommunications in the context of international security, which calls on member nations to adopt the recommendations of the report. The next GGE panel is scheduled for a 2016-2017 term to update the 2015 report. The 2015 report reflects the input from 20 diverse nations including Egypt, Japan, Pakistan, Russia, and the US. The goal of this report, as in past GGE reports, is to promote open, secure, stable, accessible, and peaceful information communications technologies (ICT) throughout the world. The report acknowledges that some member states are building ICT military capabilities and that it is only a matter of time before armed cyber conflict erupts. A very real concern is voiced over the cyber destruction of critical infrastructure and terrorist and criminal use of ICT. Table 5-2 highlights some of the most interesting aspects of the report that I believe will guide the evolution of cybersecurity law on a global basis. Table 7-4. Important UN Legal Framework Sections No.

Framework Topic

Overview

II.

Existing and emerging threats

Acknowledges a disturbing increase in the following: incidents involving the malicious use of ICTs, states developing ICT capabilities for military purposes, most harmful attacks directed at critical infrastructure, terrorist attacks against ICTs, the diversity of malicious non-state actors attacking ICT, and an imbalance of cyberwarfare among states.

III.

Norms, rules and principles for the responsible behavior of states

Develop responsible behavior among states consistent with international law, restrict harboring of cyber terrorists, improve protections to critical infrastructure, and improve the security of supply chain to ensure the security of global trade.

262

IV.

Confidence-building measure

Develop cross-nation capabilities to build strong ICT threat sharing and incident response capabilities. Create a repository of nation laws and adopt a category scale to rate ICT incidents. Establish national CERT, develop national cybercrime investigation capabilities, and leverage the UN for cross-nation adoption of cybersecurity laws and capabilities.

V.

International cooperation and assistance in ICT security and capability building

Build capacities commensurate with nation-state threats, assist developing countries in the creation and support of their ICT protection programs, and build partnerships among nations to support mutual assistance.

The majority of the report focuses on the norms, rules, and principles for responsible cyber behavior. Although these are non-binding, they do tend to set in motion the groundwork for future treaties. Also, they can form the legal framework of the universal laws, which should apply to cyberspace. I believe that the weight of this legal framework comes from the fact that five permanent members of the UN Security Council participated in the report. One critical aspect of the report and subsequent adoption by Resolution 70/237 is the limiting of the legitimacy of state actions purposely breaching the intellectual property of companies or the personal information of individuals. I do not expect until the 2018-2019 working group convenes that legal experts and GGEs will come together to create the resource language necessary to sanction nations who enter into armed cyber conflict or invade the cyber sovereignty of member nations. More detail about the GGE report and UN Resolution is at the UN website https://gafcvote.un.org/UNODA/vote.nsf/511260f3bf6ae9c005256705006e0a5b/00bb64cc57ee1a1485257f3 7006a4598/$FILE/L.45.pdf.

7.12 International Treaties on Cybersecurity One of the more lackluster – even naïve – attempts I have seen in my years as a cybersecurity expert has been the creation of cybersecurity treaties or cooperation agreements. I have commonly referred to these type of agreements as “security theater.” In a belief that they can stave off cyberattacks, nations create treaties that they hope will eliminate attack vectors from a potentially hostile country. As a common theme to the contents of these treaties, I have seen that the governments promise: • • • •

Not to attack one another. To control bad actors or hackers operating on their territory. To cooperate in pursuing cyber criminals. To jointly execute incident response processes when bilateral cyberattacks occur.

I have gathered a list of such treaties currently in effect. Unfortunately, I have yet to see any evidence that the following treaties have stopped a single denial of service or hacker attack:

263

•

•

•

•

•

•

•

African Union Convention on Cyber Security and Personal Data Protection – A June 27, 2014 treaty specifying the protection of electronic transactions, personal data protection, promotion of cybersecurity, and combating cybercrime. Of the 54 countries that may participate in this cybersecurity treaty, only 14 have signed. ANZUS Treaty – In 2011, the governments of the US and Australia amended a 60-yearold treaty to include cooperation in the protection of cyberspace. Adding cybersecurity was an obligatory addition to garnering positive press for both countries in light of increased cyberattacks. Budapest Convention on Cybercrime – A 2001 treaty covering 48 articles of privacy and cybercrime available for adoption by the member states of the Council of Europe. One of the few treaties that helped with its treatment of privacy as a basic right. Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data – One of the first treaties of its kind, published in 1981 by the Council of Europe, this treaty has 13 Articles that specifically cover the protection of personal data, mutual aid, and data security. Scientific and Technological Cooperation, Homeland/Civil Security Matters between the US and the Netherlands – Agreement to cooperate in science and technology in areas of civil security matters including cybersecurity, signed in 2012. This one is still a mystery to me. I have yet to see where a single outcome emanated from this agreement. Russian and China Cyber Security Pact – Cyberspace nonaggression pact signed in 2015 and agreement to pool information, law enforcement, and technology resources to defend against any cyberattacks. This is one of the most secretive pacts as there is currently no published English version of the pact to review. Ironically, two of the world’s largest hacker communities agreed not to hack each other, but the pact does nothing to stop them from hacking others. US and China Cyber Agreement – A 2015 agreement to not conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information with the intent of providing competitive advantages to companies or commercial sectors. The fact that China still attacks the US with great regularity since the signing of this agreement is proof enough for me that it has not worked.

I believe that treaties have more of a temporary “feel good” effect rather having any real impact on reducing cybercrime. For the most part, the treaties mentioned above have been widely viewed as unsuccessful with many drafting nations refusing to sign their respective treaty. For another reason, I attribute their poor success to the lack of the force of law and that they rely almost exclusively on mutual cooperation and voluntary efforts.

7.13 Brexit Impact on European Union Cybersecurity Law The United Kingdom (UK) referendum on July 23, 2016, which voted to let the UK withdraw from the European Union (EU), caused many of us angst as we watched our retirement portfolios 264

take huge hits, and probably we were not thinking about its impact on cybersecurity law. But nonetheless, this initiative, called Britain Exiting or Brexit, may very well have an impact on the 40-plus years of computer security lawmaking in which the UK was involved. Understanding how Brexit affects the EU General Data Protection Regulation (GDPR) and Network & Information Security (NIS) Directive implementation over the next few years will be necessary if your company conducts business in EU countries. For now, I do not expect any impact to EU cybersecurity laws. The UK will have to decide whether to continue support of these directives or draft their own replacement legislation. I suspect that they will opt into these directives; however, I never thought they would opt out of the EU, so it is a 50/50 chance that anything could happen. I base this opinion mostly on the economics of dismissing these critical cybersecurity laws, as many of the businesses in the UK are already moving toward changing their approaches to cybersecurity to support GDPR and NIS. Previously, the UK had widely adopted the 2000 Electronic Commerce Directive, the 1995 Data Protection Directive as well as the 2006 Data Retention Directive. Unraveling from nearly 20 years of EU cybersecurity directives would be unfathomable. As of this writing in 2020, British parliament has agreed to allow the U.K. to leave the European Union on January 31, 2020. However, this is far from the end of Brexit as negotiations on future commerce relations are expected to last well into late 2020. I further believe that the UK will not want to disenfranchise itself from the EU law enforcement and information security agencies such as Europol and the EU Agency for Network and Information Security (ENISA). The UK has been a vocal and financial supporter of the creation of the European Cybercrime Centre (EC3) within Europol since the beginning, which has become the center point for fighting cybercrime throughout Europe. The UK will, of course, need to negotiate their role in these organizations once untethered from the EU. I don’t envision their diminished involvement due mainly to their cybersecurity leadership and security technology acumen. It is widely believed their leaving would negatively affect the EU’s ability to fight cybercrime. I do not see in the foreseeable future where the UK will take a cyber law isolationist approach to the EU. Thus, for the time being, you should continue with business as usual; however, keep an eye on future developments. TIP: Discuss with your legal department what exposures your organization may have resulting from Brexit. Estimate the impact of revising cybersecurity and policy practices. Prepare a plan of action in the event the legal framework changes how your company approaches information protection and privacy.

7.14 G7 Perspective on Cybercrime In October 2016, I read a news feed article that the G7, a group of the seven of the largest global economies (Canada, France, Germany, Italy, Japan, the UK, and the US, plus a European Union representative), announced a non-binding agreement with recommended elements to protect 265

global financial institutions (Lange, 2016). Intrigued by the fact that the G7 would weigh in on cybersecurity, I retrieved the document from the US Department of the Treasury website to understand further what this means. What I learned is that there are eight elements to this agreement covering pretty much what you might expect from such a lofty organization. The elements include all the classic goals, such as promising to create a global cybersecurity framework, governing the framework, and encouraging risk assessments, and several other traditional categories of cybersecurity. (US Department of the Treasury, 2016). Table 7-5 presents the elements of the G7’s cybercrime agreement. Table 7-7. G7 Cybercrime Agreement Elements Element

Topic

Focus

Element 1

Cybersecurity Strategy and Framework

Create a strategy and framework to reduce cyber risks.

Element 2

Governance

Assign competent personnel and manage their effectiveness through accountability metrics.

Element 3

Risk and Control Assessment

Perform risk assessments of critical technology infrastructure.

Element 4

Monitoring

Detect cyberattacks and test effectiveness of controls.

Element 5

Response

Respond to cyberattacks.

Element 6

Recovery

Recover from cybersecurity attacks while continuing critical operations.

Element 7

Information Sharing

Share actionable cybersecurity threat information.

Element 8

Continuous Learning

Implement a process of continuous improvement for the framework.

Only time will tell if the G7 member countries will rally around these agreed upon guidelines to set the global tone within the financial industry for improving cybersecurity for the world’s largest financial institutions.

266

Summary To be an effective manager in today’s world economy, you would be wise to acquire a global perspective on business, technology, and yes, even cybersecurity. It is time to adopt a world view on how information is protected as well as understand how US foreign policy and trade pacts could impact your organization’s approaches to cybersecurity and data privacy. In addition, you will want to be ahead of the technology curve when it comes to legislative drivers. In the next chapter, I will show you how to build your cybersecurity law program and how to select a cyber liability insurance policy as your contingency plan when all else fails.

267

References Antonipillai, J. & Lee, M. K. (2016, September). Intellectual property and the US economy:2016 update. (US Department of Commerce, Economics and Statistics Administration, and the US Patent and Trademark Office). Retrieved from https://www.uspto.gov/sites/default/files/documents/IPandtheUSEconomySept2016.pdf APEC. (2019, April 15). What is the Cross-Border Privacy Rules System? Retrieved from https://www.apec.org/About-Us/About-APEC/Fact-Sheets/What-is-the-Cross-BorderPrivacy-Rules-System Canon, G. (September 6, 2019). What is California's AB 5? The Bill Could Make Gig Economy Workers like Uber Drivers Employees. USA Today. Retrieved from https://www.usatoday.com/story/news/politics/2019/09/06/what-you-need-knowcalifornia-ab-5-gig-economy-bill-uber-lyft-drivers/2213459001/ S. Goldstick., J. Rathburn., & A. Tantleff. (2019, January 11). Ringing in 2019 with New State Privacy and Data Security Laws Impacting Data Brokers and Insurers. Foley & Lardner. Retreived from https://www.foley.com/en/insights/publications/2019/01/ringing-in-2019with-new-state-privacy-and-data-se Johnson, A. (2014, November 12). NOAA confirms cyberattack "in recent weeks." NBC News. Retrieved from http://www.nbcnews.com/news/us-news/noaa-confirms-cyberattackrecent-weeks-n247446 Lange, J. (2016, October 11). G7 sets common cyber-security guidelines for financial sector. Reuters. Retrieved from https://in.finance.yahoo.com/news/g7-sets-cyber-securityguidelines-financial-sector-152620366--sector.html Lin, H. (2016, June 15). NATO's designation of cyber as an operational domain of conflict. Retrieved from https://www.lawfareblog.com/natos-designation-cyber-operationaldomain-conflict Paul, F. (2018, November 26). Gartner’s Top 10 IoT Trends for 2019 and Beyond. Networkworld. Retreived from https://www.networkworld.com/article/3322517/acritical-look-at-gartners-top-10-iot-trends.html Meyer, P. (2016). Outer space and cyber space: A tale of two security realms. In A. Osula & H. Rõigas (Eds.), International cyber norms: Legal, policy & industry perspectives (pp. 155169). Tallinn, Estonia: NATOCooperative Cyber Defense Centre of Excellence. Mott, N. (2014). The FBI thinks private companies may be retaliating against hackers with their own attacks. Retrieved from https://pando.com/2014/12/30/the-fbi-thinks-privatecompanies-may-be-retaliating-against-hackers-with-their-own-attacks/

268

National Association of Insurance Commissioners. (2016, August 17). Insurance data security model law. (Preliminary and working discussion draft). Retrieved from http://www.naic.org/documents/committees_ex_cybersecurity_tf_exposure_mod_draft_r edline.pdf Neuburger, J. (2018, April 27). Researchers May Challenge the Constitutionality of the CFAA “Access” Provision as Applied to Web Scraping. The National Law Review. Retreived from https://www.natlawreview.com/article/researchers-may-challenge-constitutionalitycfaa-access-provision-applied-to-web Office of the US Trade Representative. (2016, February 4). TPP Full Text - Chapter 14 Electronic Commerce. Retrieved from https://ustr.gov/sites/default/files/TPP-Final-TextElectronic-Commerce.pdf Organisation for Economic Co-operation and Development. (2013). The OECD privacy framework. Retrieved from https://www.oecd.org/sti/ieconomy/oecd_privacy_framework.pdf Organisation for Economic Co-operation and Development. (2016). List of OECD member countries – Ratification of the convention on the OECD. Retrieved from http://www.oecd.org/about/membersandpartners/list-oecd-member-countries.htm Podesta, J., Pritzker, P., Moniz, E., Holdren, J., & Zients, J. (2014, May). Big data: Seizing opportunities, preserving values. (The White House, Executive Office of the President). Retrieved from https://obamawhitehouse.archives.gov/sites/default/files/docs/20150204_Big_Data_Seizi ng_Opportunities_Preserving_Values_Memo.pdf Powell, D. (2008, August 29). Space station computer virus raises security concerns. New Scientist. Retrieved from https://www.newscientist.com/article/dn14628-space-stationcomputer-virus-raises-security-concerns/ Sanger, D. (2012, June 1). Obama order sped up wave of cyberattacks against Iran. The New York Times. Retrieved from http://www.nytimes.com/2012/06/01/world/middleeast/obama-ordered-wave-ofcyberattacks-against-iran.html?_r=2&pagewanted=2&seid=auto&smid=twnytimespolitics&pagewanted=all Schmitt, M. N. (Ed.). (2013) Tallinn manual on the international law applicable to cyber warfare. Cambridge, UK: Cambridge University Press. Retrieved from https://www.cambridge.org/core/books/tallinn-manual-on-the-international-lawapplicable-to-cyber-warfare/50C5BFF166A7FED75B4EA643AC677DAE United Nations. (1982). United Nations convention on the law of the sea. Retrieved from http://www.un.org/Depts/los/convention_agreements/convention_overview_convention.h tm 269

United Nations. (1999). UNCIRAL model law on electronic commerce with guide to enactment. Retrieved from http://www.uncitral.org/pdf/english/texts/electcom/05-89450_Ebook.pdf United Nations. (2007). United Nations convention on the use of electronic communications in international contracts. Retrieved from http://www.uncitral.org/pdf/english/texts/electcom/06-57452_Ebook.pdf US Department of Homeland Security, US Coast Guard. (2009, June 18). Port security advisory (3-09): Guidance on self-defense or defense of others by US flagged commercial vessels operating in high-risk waters. Retrieved from https://www.jmtx.org/wpcontent/uploads/Library/CG%20Docs/PSA_3-09.pdf US Department of the Treasury. (2016, October). G7 fundamental elements of cybersecurity for the financial sector. Retrieved from https://www.treasury.gov/resourcecenter/international/g7g20/Documents/G7%20Fundamental%20Elements%20Oct%202016.pdf

270

Self-Study Questions

The following exercises how you how to stay abreast of changes in cybersecurity law: 1. Using the types of technology your organization manufactures or uses, identify specific applicable cybersecurity laws. 2. Review your organization’s cloud provider contracts to ensure they reflect existing or prosed cybersecurity laws and protections. 3. Determine if your organization’s security testing program violates the Digital Millennium Copyright Act (DMCA). 4. For government organizations, review Executive Orders for applicability. Adjust your cybersecurity program to obtain compliance. 5. Examine your organization’s ethical hacking practices and procedures to ensure they comply with applicable laws. 6. Review the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP) in the context of your organization’s supply chain to determine if changes in your cybersecurity program are warranted. 7. If your organization is in the insurance industry, determine if your cybersecurity program complies with the Insurance Data Security Model Law. 8. Adopt a policy of no hacking back when your organization is experiencing a cyberattack. 9. Review which cybersecurity treaties apply to your organization. 10. Evaluate how your organization’s cybersecurity program may be impacted by the final exit of Great Britain from the European Union.

271

Appendix A Useful Checklists and Information

These lists are to guide you in your research. The author does not endorse any of the agencies, providers, or products listed here. Names of all products and companies are trademarked and are the sole property of the owners. Note: Links in all tables are current as of February, 2020.

273

Table A-1. eDiscovery Software Table A-1 lists some eDiscovery software available to automate a cybersecurity law program.

Product

Company

CloudNine

CloudNine Discovery

Discovery Attender

Sherpa Software

Logikcull

Logikcull.com

Nextpoint

Nextpoint, Inc.

Z-Discovery

Zapproved, Inc.

Key Features - Case Analytics - Compliance Management - Document Indexing - Full Text Extraction - Keyword Search - Meta Data Extraction - Topic Clustering - Full Text Extraction - Keyword Search - Meta Data Extraction - Case Analytics - Compliance Management - Document Indexing - Full Text Extraction - Keyword Search - Meta Data Extraction - Topic Clustering - Case Analytics - Document Indexing - Full Text Extraction - Keyword Search - Meta Data Extraction - Topic Clustering - Document Indexing - Full Text Extraction - Keyword Search - Meta Data Extraction - Topic Clustering

274

Deployment

Supported Users

Cloud, SaaS, Web

1 to 1000+

Windows

1 to 1000+

Cloud, SaaS, Web

1 to 1000+

Cloud, SaaS, Web

1 to 1000+

Cloud, SaaS, Web

1 to 9

Table A-2. Cybercrime Reporting Agencies Should you need to notify external law enforcement agencies, see the list in Table A-2. Cybercrime Type Child Pornography & Exploitation Computer Hacking Incidents Copyright Piracy Internet Fraud & Spam

Reporting Agency

• • • • • • • • • • • • • •

FBI local office US Immigration and Customs Enforcement (Import Crimes) Internet Crime Complaint Center FBI local office Internet Crime Complaint Center US Secret Service FBI local office Internet Crime Complaint Center US Immigration and Customs Enforcement (ICE) FBI local office Federal Trade Commission (online complaint) Securities and Exchange Commission Internet Crime Complaint Center US Secret Service

Password Trafficking

• FBI local office • Internet Crime Complaint Center • US Secret Service

Theft of Trade Secrets & Economic Espionage

• FBI local office

Trademark Counterfeiting

• FBI local office • Internet Crime Complaint Center • US Immigration and Customs Enforcement (ICE)

275

Table A-3. Cyber Tort Readiness Checklist Use Table A-3 to determine if your company would be prepared for a data breach lawsuit. No. Question 1 Does an inventory of legal and regulatory statutes exist? 2

Score

8

Has an assessment been completed of the penalties your company could incur for violating legal and regulatory statutes? Intentional Cybercrimes against Persons: Does your company have a policy prohibiting cybersecurity torts consisting of cyberbullying, cyber defamation, cyberstalking, etc.? Cybertrespass to Chattel: Does your company have a policy prohibiting cybertrespass consisting of sending Spam, installing spyware, and causing denial of service attacks? Cyber-conversion: Does your company have a policy prohibiting session hijacking and using computer services not previously authorized? Does your company have monitoring systems in place to detect intentional cybercrimes against persons? Does your company have monitoring systems in place to detect cybertrespass to chattel? Does your company have monitoring systems in place to detect cyber-conversion?

9

Does your company use a risk-based approach to defend against data breaches?

10

Does your company use commercially reasonable means to protect customer data?

11

Does your company have a data breach incident response plan?

12

Does your company have a data breach communications strategy?

13

Does your company comply with data breach safe harbor provisions?

14

Does your company have cyber liability insurance policy?

15

Has your company’s board of directors approved your data breach incident response plan? Have your company’s legal counsel been actively involved with your data breach incident response plan?

3 4 5 6 7

16

Total Instructions: For each yes response give yourself a score of one, for each negative response giver yourself a zero. Add up your total score to see the result and compare to the chart below to see where you rank in preparedness: Poor

0-4

Fair

5-8

Good

276

9 - 12

Better

13 - 16

Table A-4. Providers of Cyber Liability Insurance If you are considering cyber liability insurance, there are over 500 companies that over cyber insurance policies. Table A-4 lists some of the more well known companies. Company American International Group, Inc.

Policies

Chubb Limited

• Chubb Privacy Protection • Chubb DigiTech • Integrity+ • Cyber Security Liability Program

Philadelphia Insurance Companies The Hartford The Travelers Indemnity Company Zurich American Insurance Company

Risk Management Services

• CyberEdge • CyberEdge Plus

• Data Breach Insurance • CyberFirst o First Party o Third Party • Security and Privacy (S&P) Protection

277

• • • • • • • •

Axio Global BitSight IBM Security Services K2 Intelligence RiskAnalytics Compliance Assessments Loss Prevention Portal Data Breach Plans

• • • • • • • • • • • •

Breach Assistance Resource Directory Breach Notification Law Directory Breach Response Templates Breach Risk Assessment Breach Response Partners Data Breach Preparedness Website Cyber Risk Pressure Test Data Breach Coach Directory Data Breach Planning Resources Data Breach Coaches Data Breach Response Services NetDiligence Cyber Risk Assessments

Table A-5. Research Sources Access the sources of research in Table A-5 when creating your cyberlaw program. Resource 2018 Internet Crime Report 2019 Data Breach Litigation Report Cornell University Law School Data Breach Notification Laws

EU Cybersecurity Dashboard United States Courts

Model Contract for Personal Data Transfer State Computer Crime Statutes

Summary

Internet Crime Complaint Center (IC3) annual report to aggregate and highlight the data provided by the general public concerning Internet crimes. 2019 report covering 24 months of 600+ data breach litigation cases. Portal for searching federal, state, and regulatory statutes as well as the US Code, Uniform Commercial Code (UCC), and world law. Inventory of 50 states, the District of Columbia, Guam, Puerto Rico, and the Virgin Islands have enacted legislation requiring private, governmental or educational entities to notify individuals of security breaches of information involving personally identifiable information. Study conducted by BSA | The Software Alliance, which includes analysis of the legal foundations of cybersecurity across 28 member states. The federal rules of practice and procedure govern litigation in the federal courts. This site provides access to the federal rules and forms in effect, information on the rulemaking process (including proposed and pending rules amendments), and historical and archival records. Sample contractual clauses approved by the Council and the European Parliament for transfer of data outside of the EU. Inventory of all available state computer crime statutes with links to respective state laws.

278

Table A-6. Digital Forensics Toolkits Digital forensics software is required to gather legally admissible evidence. Table A-6 lists some of the computer forensics toolkits on the market today. Product AccessData Forensic Toolkit (FTK)

Company AccessData Corp

EnCase Forensic Edition

Guidance Software

P2 Commander

Insectra

Passware Kit Forensic

Passware, Inc.

SQLite Forensics Explorer

Acquire Forensics

Summary

Designed for law enforcement and corporate security professionals providing the ability to perform complete and thorough computer forensic examinations. Features powerful file filtering and search functionality through customizable filters to sort through thousands of files to find the evidence. Advanced features for computer forensics and investigations using an intuitive GUI. Provides investigators with the tools to conduct large-scale and complex investigations with accuracy and efficiency. Designed for non-invasive computer forensic investigations allowing examiners to manage large volumes of computer evidence and view all relevant files, including “deleted” files, file slack, and unallocated space. Comprehensive digital investigation tool with over ten years of court-approved use by forensic examiners. An integrated database and multi-threading for fast processing. Includes email examination tools for network email and personal email archive analysis. Advanced features include data triage analysis, Xbox analysis, pornography detection, and more. A complete solution for encrypted evidence discovery, encryption analysis, password recovery, and decryption. Passware’s top selling products are widely used by law enforcement agencies and are included in Certified Computer Examiner training. Integrated toolkit includes email examiner software, email viewers, and data analysis solutions. Advanced features consist of MBOX, MSG, PST, OST, and DMG viewers.

279

Table A-7. Cyber Liability Stress Test Use the questionnaire in Table A-7 to perform a stress test to determine how well your cybersecurity, privacy, or legal practices would function in the face of real offenses. No. Scenario Score 1 Do monitoring practices exist to detect internal or external trade secret theft? 2 Do monitoring practices exist to detect real-time credit card number theft? Can your security monitoring capabilities detect employees accessing or 3 storing child pornography? Can your security monitoring capabilities detect the installation and use of 4 pirated software? Do monitoring capabilities exist to detect unauthorized access of email 5 accounts? Could your company pass an OCR HIPAA Privacy Rule enforcement 6 investigation? 7 Could your company pass an FTC COPPA enforcement investigation? Could your company successfully defend a Fourth Amendment or ECPA 8 violation lawsuit regarding monitoring employee activities? 9 Does your company have a policy to handle derivative lawsuits? Does your company have a policy to support employees personally named in a 10 class action lawsuit? 11 Does your company have a policy to protect whistleblowers? 12 Does your company monitor for cryptography export violations? 13 Do you know if your company is violating any cryptography patents? Does your company have a legal privilege policy in place to prevent security 14 assessment reports from discovery? Will your cyber liability policy application show a true representation of your 15 company’s security controls? Has a coverage gap assessment been completed for your company’s cyber 16 liability policy? Total Instructions: To arrive at your total score, assign a 1 for each yes answer and 0 to each no vote. To interpret your total score, see the chart below: Low

0-4

Moderate

5-8

Strong

280

9 - 12

High

13 - 16

Table A-8. Cybersecurity Law Program Bill of Materials Table A-8 lists the components that you will require to create your cybersecurity law program. Subcomponent

Cybersecurity Law

People (Roles)

- Senior Legal Counsel - Cyberlaw Librarian - Cyberlaw Analyst - Cyber-security Law Program Policy

Policies

Procedures

Technology

Components Data Privacy Cryptographic Law Law

Forensics Law

Cyber Liability Insurance

- Chief Privacy Officer

- Cybersecurity Analyst

- Forensics Lead

- Insurance Risk Manager

- Privacy Policy Statements

- Cryptology Policy Statements

- Digital Forensics Policy

- Cryptography Export License Form - NIST SP 800111 - Wasserman Arrangement

- Digital Evidence Procedure

- Cyber Liability Insurance Policy Statements - Cyber Liability Insurance Policy - Claims Procedure - Coverage Assessment Checklist

- Data-at-Rest Encryption Software - Data-in-Transit Encryption Software

- Forensics Toolkit

- Federal Rules - iKeepSafe of Civil Framework Procedure - NIST SP (FRCP) Manual 800-53 - Federal Rules Appendix J of Criminal Privacy Procedure Controls - Data Breach Incident Response Plan - Policy - eDiscovery Compliance Software Scanning - SharePoint Software - Westlaw or Lexis/Nexis - RSS Feeds

281

- NA

Index Figures and tables are indicated by f and t following the page number. AIA (Aerospace Industries Association) National Aerospace Standard 9933, 191 AICPA (American Institute of Certified Public Accountants), 229t AIG (American International Group), 214, 277t Alaska Department of Health and Social Services, 83t genetic information privacy law in, 154t ALCOA Model, 171, 172f Allianz, 214 All Writs Act, 141 ALPR (automated license plate reader) privacy protection, 120–121, 121t Altaba, 49 Alternative Dispute Resolution (ADR) arbitration law, 40, 41f, 42–43 dispositive motions, 40, 41f, 43–44, 44–46t mediation law, 40–42, 41f summary judgments, 46 US cybersecurity law, 40–46 Amazon, 117 American Arbitration Association (AAA), 43 American Express, 177 American Federation of Government Employees, 112 American Institute of Certified Public Accountants (AICPA), 229t American International Group (AIG), 214, 277t American National Standards Institute (ANSI), 181

A AAA (American Arbitration Association), 43 Aaron, Joshua Samuel, 31t AccessData Corp., 279t Accountability matrix, 202–203, 203t Accountability standards, CBPR, 253, 254t Accounting Standards Codification (ASC), 50 ASC 350-40 – Internal-Use Software, 50 ASC 450-20 – Loss Contingencies, 50 ASC 605-50 – Customer Payments and Incentives, 50 Acquire Forensics, 279t Active Insurance, 103t Act of war defense, 222 Act on Protection of Personal Information (APPI, Japan), 100t Actus reus, 20, 21f Admissibility of evidence, 147 Adobe Systems, Inc., 14, 136t ADR. See Alternative Dispute Resolution Advance fee fraud, 16t Advocate Health Care, 47t, 82t Advocate Health System, 83t AECA (Arms Export Control Act), 142t Aerojet, 69 Aerospace Industries Association (AIA) National Aerospace Standard 9933, 191 African Union Convention on Cyber Security and Personal Data Protection (2014), 264 Aguilar, Luis A., 48 283

cybersecurity superiority, 236 data localization laws, 256t Defense Signals Directive, 236 Privacy Act Amendment (Notifiable Data Breaches), 100 Austria, cryptography laws in, 138 Automated license plate reader (ALPR) privacy protection, 120–121, 121t

Ametovski, Djevair, 31t Ancestry.com, 154 Andres, Edwin, 14 ANSI (American National Standards Institute), 181 Anthem, Inc., 47t, 82t Antiterrorism and Effective Death Penalty Act (1996), 144–145 ANZUS Treaty (2011 amendment), 264 AOL, 79t Aon, 225t APEC Cross-Border Privacy Rules (CBPR) System, 252–254, 254f, 254t Apex Global Information Services, Inc., 39 APPI (Act on Protection of Personal Information, Japan), 100t Apple, 134b, 136t, 141, 149b, 253 Arbitration law, 40, 41f, 42–43 Architecture of cybersecurity law programs, 199, 200f Arch Wireless, 107 Argentina, cryptography laws in, 138 Aristotle Age Verification Solution, 78 Arizona, computer crime laws in, 62 Arkansas automated license plate reader privacy protection, 121t biometrics law, 153t CIPO law, 92t event data recorder privacy protection, 119t identity theft laws, 68 Armed conflict law in cyberwar, 260–261 Arms Export Control Act (AECA), 142t ASC. See Accounting Standards Codification Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules (CBPR) System, 252–254, 254f, 254t Assistance and Access Act (2018, Australia), 143t Asymmetric key algorithms, 129t AT&T, 30t At-Bay, 225t Atomic Energy Act (1954), 38, 38b, 56 Auditing. See Compliance auditing Australia ANZUS Treaty, 264 APEC Cross-Border Privacy Rules System, 252 Assistance and Access Act (2018), 143t Basel III Accord, 160–161, 160–161t CPTPP cybersecurity framework, 250 cryptography laws, 138, 143, 143t

B Bahrain Personal Data Protection Law, 101 Banking and financial industry arbitration, 42, 43 Basel III Accord, 160–161, 160–161t cybercrimes in, 14 data breach notification laws, 95–97 encryption requirements, 141–142t extradition for cybercrimes in, 30–31t Federal Financial Institutions Examination Council audits, 25, 168 FINRA oversight, 25, 43, 141–142t, 169–170 punishment for cybercrimes in, 32b regulatory enforcement, 25 successful data breach lawsuits, 47t Basel III Accord, 160–161, 160–161t Beck v. McDonald (2017), 46 Belarus, cryptography laws in, 133t Belgium, cryptography laws in, 138 Bendelladj, Hamza, 31t Best evidence rule, 145–146, 205 Better Business Bureau's Children's Advertising Review Unit (CARU), 78 Big data, 238–239 Bill of Materials, 230, 281t Biometric Information Privacy Act (BIPA, IL), 44, 153t Biometrics laws, 44, 152–154, 153t Bisnode, 104t Board of directors derivative lawsuits, 109–110 directors and officers insurance, 113 Bork, Robert, 76 Bots, 30–31t, 66 Brandeis, Louis, 76 Brant Flax v. Pet360, Inc. (2015), 208b Brazil Basel III Accord, 160–161, 160–161t General Data Protection Law, 100–101 Brexit, 264–265 Bring-your-own-device (BYOD) policy, 116, 187 284

CARU (Better Business Bureau's Children's Advertising Review Unit), 78 Causation, 21, 21f, 106 CBPR (Cross-Border Privacy Rules) System, 252– 254, 254f, 254t CCIPS (Computer Crime and Intellectual Property Section), 27 CCPA (Cable Communications Policy Act, 1984), 87t CDA (Communications Decency Act), 53 Center for Internet Security (CIS) Critical Security Controls, 180f, 189, 189f Centers for Medicare and Medicaid, 173 Centro Hospitalar Barreiro Montijo, 104t CFATS (Chemical Facility Anti-Terrorism Standards) Act (2007), 25, 161–162, 162– 163t CFTC (Commodity Futures Trading Commission), 98 Chain of custody, 146, 205 Chemical Facility Anti-Terrorism Standards (CFATS) Act (2007), 25, 161–162, 162– 163t Chief information officers (CIOs), 112 Chief Information Privacy Officer (CIPO) laws, 91–92, 92t Chief information security officers (CISOs) cybersecurity law program role, 200, 201f, 202 duty to reveal security breaches, 50 personal liability for data breaches, 112 Chief legal officers (CLOs), 201, 201f Chief privacy officers (CPOs), 91–92, 200, 201f, 202 Child pornography cybercrimes, 14, 26 Children’s Medical Center of Dallas, 82t Children’s Online Privacy Protection Act (COPPA, 1998), 77–80, 79t, 88t, 205 Children’s privacy laws, 77–80 federal, 77–80, 79t, 88t, 205 state, 80, 205 Chile APEC Cross-Border Privacy Rules System, 252 CPTPP cybersecurity framework, 250 China APEC Cross-Border Privacy Rules System, 252 Basel III Accord, 160–161, 160–161t cryptography laws, 132, 133t, 142, 143t cyberbalkanization laws, 255

British Airways, 104 Brunei, CPTPP cybersecurity framework in, 250 Buckley Amendment. See Family Educational Rights and Privacy Act Budapest Convention on Cybercrime (2001), 264 Bug bounty pilot program, 58, 241 Bulgaria, cryptography laws in, 138 Burma, cryptography laws in, 133t Business associates, health data privacy protection, 85 BYOD (bring-your-own-device) policy, 116, 187 C Cable Communications Policy Act (CCPA, 1984), 87t California Assembly Bill 5, 241 automated license plate reader privacy protection, 121t Consumer Privacy Act, 153t cryptography patent infringement, 135 data breaches, 94b digital forensics laws, 150, 151t Privacy Rights for California Minors in the Digital World, 80 ransomware laws, 63, 64t Security of Connected Devices for IoT Security, 238 CAM (critical audit matters), 226–227, 227t Campbell-Ewald Co. v. Gomez (2016), 108 Canada ALCOA Model, 171, 172f APEC Cross-Border Privacy Rules System, 252, 253 Basel III Accord, 160–161, 160–161t CPTPP cybersecurity framework, 250 cryptography laws, 138, 143 data localization laws, 256t G7 cybercrime agreement, 265–266, 266t Personal Information Protection and Electronic Documents Act, 100t US-Mexico-Canada Agreement, 254–255 CAN-SPAM Act (Controlling the Assault of NonSolicited Pornography and Marketing Act, 2003), 88t CAPA (Confederation of Asian and Pacific Accountants), 229t Capital One, 17b Carrefour SA, 14 285

CloudSploit, 211t CNA Financial Corporation, 51, 219 Coalfire Labs, 242, 242b Coast Guard (US), 258 Codeshop, 31t Codrut, Robert, 31t Coffey Health System, 85b Colorado, automated license plate reader privacy protection in, 121t Columbia Casualty, 51 Columbia University, 83t Commerce Department Bureau of Industry and Security, 130, 132b economic statistics, 249 export cryptography control, 130–131 security testing allowance requests to, 240 Commercially reasonable means, 24, 49 Commodity Futures Trading Commission (CFTC), 98 Common law duty, 54–55 Communications Decency Act (CDA), 53 Compliance auditing auditing associations, 229, 229t critical audit matters/material weaknesses, 226–227, 227t, 228b cybersecurity law program, 225–229, 226f, 227–229t internal vs. external auditing, 227–228, 228t model structure, 226f Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP) Cybersecurity Framework, 250–252 Computer Crime and Intellectual Property Section (CCIPS), 27 Computer Crime Enforcement Act (2000), 57 Computer Fraud and Abuse Act (1986), 39, 56, 65, 147b, 236 Computer Matching and Privacy Protection Act (1988), 88t Computer sabotage, 19 Computer Science and Artificial Intelligence Laboratory (CSAIL), 39 Computer Security Act (1987), 57 Concentra Health Services, 83t Concurrence, 21, 21f Confederation of Asian and Pacific Accountants (CAPA), 229t Connecticut computer crime laws, 62 event data recorder privacy protection, 119t ransomware laws, 64t

Cybersecurity Multi-Level Protection Scheme, 93 data localization laws, 256t extradition from, 30 National Information Security Standardization Technical Committee (TC260), 101 “No Where to Hide” law, 93 Personal Information Security Specification, 101 privacy laws, 92–93, 101, 249 Russia and China Cyber Security Pact, 264 satellite cyberattack, 259 US and China Cyber Agreement, 264 ChoicePoint, Inc., 110 Chubb Limited, 277t Cignet Health, 81 Cignet Health of Prince George’s County, 83t Cihodariu, Miriam, 129 CIOs (chief information officers), 112 CIPO (Chief Information Privacy Officer) laws, 91–92, 92t CISA (Cybersecurity and Infrastructure Security Agency), 58, 161–162, 243 Cisco Systems, Inc., 114, 253 CIS (Center for Internet Security) Critical Security Controls, 180f, 189, 189f CISOs. See Chief information security officers City of Ontario, California v. Quon (2010), 107– 108 Civil law civil cybercrimes, 16–17 cryptography violations, 132, 132b cybersecurity law program component, 197, 197f private cybersecurity law as, 22 rules of civil procedure, 60–62, 61t, 208–209 tort law as. See Tort law Clapper v. Amnesty Int’l USA (2013), 106 Clarifying Lawful Overseas Use of Data (CLOUD) Act (2018), 151–152 Class action lawsuits Alternative Dispute Resolution to avoid, 42, 43, 44–46t data breach litigation, 105–106, 108–109 for duty to accurately disclose safeguards, 51 injury vs. no-injury, 105–106, 108–109 CLOs (chief legal officers), 201, 201f CLOUD (Clarifying Lawful Overseas Use of Data) Act (2018), 151–152 Cloud computing, 239–240 CloudNine Discovery, 274t 286

Critical audit matters (CAM), 226–227, 227t Croatia, cryptography laws in, 138 Cross-Border Privacy Rules (CBPR) System, 252– 254, 254f, 254t Cryptography asymmetric key algorithms, 129t backdoor access, 132, 152 cryptography laws, 129–139 cybersecurity law program component, 197, 197f, 200f, 204–205, 213t, 281t cyber torts, 23 data breach laws, 94, 98, 139 defined, 128 digital forensics for breach detection. See Digital forensics duty to accurately disclose safeguards, 51 duty to provide reasonable security, 49 elliptic curve algorithms, 129t emerging laws, 152 encryption key, 128 encryption key disclosure, 140–141, 143–144, 204–205 export control laws, 130–131, 204 failure to act duty, 52 Fifth Amendment, 137–138, 140–141 Fourth Amendment, 136–137 hash algorithms, 129t healthcare data privacy, 82–83t, 204 import control laws, 132–133, 133t, 204 international cryptography laws, 129–138, 142–144, 143t, 204 international privacy laws, 93 International Traffic in Arms Regulations, 132, 142t laws and regulations requiring encryption, 141, 141–142t mapping legal requirements to controls, 213t overview, 128–129, 129t patent infringement, 133–136, 136t, 204 personal use exemption, 138, 204 policies, 204–205 popular methods, 129t safe harbor provisions, 139, 204–205 search and seizure of encrypted data, 136–138, 206 state cryptography laws, 129, 139, 204–205 symmetric key algorithms, 129t CryptoPeak Solutions, 134 CSAIL (Computer Science and Artificial Intelligence Laboratory), 39 Curry v. Schletter (2018), 67b

Consolidated Appropriations Act (2016), 54 Consolidated Appropriations Act (2018), 151 Constitution, US. See also specific Amendments future cybersecurity law constitutionality, 236 privacy rights, 76, 107, 117, 120 Controlling the Assault of Non-Solicited Pornography and Marketing Act (CANSPAM Act, 2003), 88t ControlScan, 211t Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (1981), 264 COPPA (Children’s Online Privacy Protection Act, 1998), 77–80, 79t, 88t, 205 Costco, 227t Costea, Teodor Laurentiu, 31t Cottage Health System, 51, 82t, 219 CPOs (chief privacy officers), 91–92, 200, 201f, 202 CPTPP (Comprehensive and Progressive Agreement for Trans-Pacific Partnership) Cybersecurity Framework, 250–252 Credit card crimes cybercrimes involving, 14 data breach litigation, 105–106 dispositive motions, 43, 45t extradition for, 31t PCI DSS to avoid, 25, 52, 114, 177–178, 177– 178t, 180, 180f punishment for, 32, 32b state duty of care laws, 52 successful data breach lawsuits, 47t Criminal law actus reus, 20, 21f causation, 21, 21f concurrence, 21, 21f criminal cybercrimes, 16–17, 55–56, 56t, 58– 59, 59t cybersecurity law program component, 197, 197f elements of, 20–21, 21f federal computer crime statutes, 39, 56–59, 59t, 64–65, 75 health data privacy enforcement, 81–82, 85 mens rea, 20, 21f public cybersecurity law as, 22 punishment and penalties, 55–56, 56t, 59t rules of criminal procedure, 60, 60t, 209 state computer crime laws, 62–69, 64t, 278t US cybersecurity law, 55–56, 56t, 58–59, 59– 60t, 60, 62–69, 64t 287

cybersecurity law program, 197f, 198, 200f, 206, 214–224, 216t, 223f, 281t evolution of, 214 insurable vs. uninsurable risk, 222, 223f NAIC Model Cybersecurity Law, 246–248, 247f negligence or failure to follow exclusion, 214b policies on, 206 policy claim disputes, 219 policy claims, 214b, 218–219 policy cost, 218 policy lawsuits, 219–221 policy restrictions, 217 policy value, 217–218 premiums, 214–215, 218 provider list, 277t residual risk and, 216 silent cyber risk insurance, 223–224 Cyber liability stress test, 280t Cyber Promotions, Inc. v. Apex Global Information Services, Inc. (1997), 39 Cyber reserve, 65 Cyber revenge, 16t Cybersecurity analysts, 201f, 202 Cybersecurity and Infrastructure Protection Agency Act (2016), 243 Cybersecurity and Infrastructure Security Agency (CISA), 58, 161–162, 243 Cybersecurity and Infrastructure Security Agency Act (2018), 58 Cybersecurity Assessment Tool, 168 Cybersecurity Enhancement Act (2014), 39, 57, 243 Cybersecurity Information Sharing Act (2015), 54 Cybersecurity law adherence to, 13, 33 branches of, 22 civil. See Civil law criminal. See Criminal law cryptography. See Cryptography cybercrimes violating. See Cybercrimes data and privacy protection. See Data protection; Privacy protection digital forensics. See Digital forensics enforcement. See Cyberlaw enforcement; Punishment and penalties future developments, 235–267 jurisdiction. See Jurisdiction regulatory. See Regulatory law US. See US cybersecurity law Cybersecurity law programs

CVS Pharmacy, 84t Cyber activism, 16t, 19 Cyber AIR Act, 244 Cyberbalkanization laws, 255 Cyber blackmail, 16t, 19 Cyber bullying, 16t, 19, 23, 68–69 Cyber-conversion, 23 Cybercrimes categories of, 19–20 criminal, 16–17, 55–56, 56t, 58–59, 59t. See also Criminal law defendants in, 17 defined, 17–19 enforcement of laws on. See Cyberlaw enforcement extradition for, 30, 30–31t G7 agreement, 265–266, 266t inchoate, 19–20 infamous, 14–15 institutional, 19 personal, 19 plaintiffs in, 17 property, 19 punishment and penalties for. See Punishment and penalties reporting agencies, 275t taxonomy for, 15, 16t tribal jurisdiction, 89–90 Cyber Data Risk Managers LLC, 218 Cyber defamation, 23 Cyber espionage, 16t Cyber Hunt and Incident Response Teams Act (2019), 64–65 Cyberlaw analysts, 201f, 202 Cyberlaw enforcement. See also Punishment and penalties Alternative Dispute Resolution, 40–46 federal. See Federal cyberlaw enforcement international. See International cyberlaw enforcement jurisdiction. See Jurisdiction local, 26, 28f, 92 overview, 24–25 regulatory. See Regulatory law state. See State cyberlaw enforcement Cyberlaw librarians, 201, 201f Cyber liability insurance act of war defense, 222 components, 215 coverage categories, 215–217, 216t cyber risk insurance pools, 223 288

cybertrespass to chattle, 23 defined, 22 intentional cybercrimes against persons, 23 punishment for, 32–33 reasonable person doctrine, 54 rules of civil procedure, 60–62, 61t Cybertrespass, 23 Cyber vandalism, 16t Cybervigilantism, 19 Czech Republic, cryptography laws in, 138

accountability matrix, 202–203, 203t architecture, 199, 200f bill of materials, 230, 281t business view of, 199, 200f compliance auditing, 225–229, 226f, 227–229t components, 196–198, 197f, 200f, 281t cryptography, 197, 197f, 200f, 204–205, 213t, 281t cyber liability insurance, 197f, 198, 200f, 206, 214–224, 216t, 223f, 281t cyber liability stress test, 280t data breach calculators, 224, 225t data breach worksheet, 224, 224t data privacy protection, 197, 197f, 200f, 204, 205, 281t development of, 195–230 digital forensics, 197f, 198, 200f, 205–206, 281t functional view of, 199, 200f ISO/IEC 27002 standards, 214 law and regulations library, 197f, 198, 209– 211, 210–211t mapping legal requirements to controls, 212, 213t model, 196–198, 197f next steps, 230. See also Future cybersecurity law developments overview, 195–196, 230 policies, 197f, 198, 200f, 203–206, 281t procedures, 197f, 198, 200f, 206, 206–207t, 281t research sources, 278t staffing and roles, 200–203, 201f, 203t, 281t strict liability tort forseeability, 23–24 subcomponents, 196, 197f, 198, 200f, 281t technical view of, 199, 200f technology, 197f, 198, 200f, 208–212, 210– 211t, 281t Cybersecurity Responsibility and Accountability Act (2016), 244 Cybersecurity Systems and Risks Reporting Act (2016), 48, 109, 243 Cybersecurity Workforce Assessment Act (2014), 57 Cyber-slander, 19 Cybersquatting, 16t Cyber stalking, 16t, 19, 23 Cyber terrorism, 16t, 19 Cyber torts cyber-conversion, 23 Cyber Tort Readiness Checklist, 230, 276t

D Damages. See also Punishment and penalties negligence, 24, 55 successful data breach lawsuits, 47t summary judgments, 46 D&O (directors and officers) insurance, 113 Data breach calculators, 224, 225t Data Breach Insurance Act, 243 Data breach litigation injury vs. no-injury class action lawsuits, 105– 106, 108–109 privacy protection, 105–111 research sources, 278t securities fraud lawsuits, 110–111 shareholder derivative lawsuits, 109–110 successful lawsuits, 47, 47t Supreme Court data privacy rulings, 107–109 Data breach notification laws dispositive motions, 43 duty to reveal security breaches, 48, 49–50 encrypted data, 94, 98, 139 federal, 95–98 healthcare data privacy, 85–86, 89t, 95 international, 99–101, 99f, 100t, 103 jurisdiction, 29 prevalence of breaches, 93, 94b privacy protection and, 93–101, 103 red flags rules, 97–98 research sources, 278t state, 27, 27b, 94 tribal sovereign immunity, 90 Data breach worksheet, 224, 224t Data brokers, 239 Data compliance lifecycle, 115, 116t Data disposal laws, 115, 116t Data erasure laws, 80 Data localization laws, 255, 256–257t Data loss prevention (DLS) systems, 24, 116 Data protection 289

DDTC (Directorate of Defense Trade Controls), 132, 142t Defendants, 17 Defense Department cybersecurity data not shared by, 236 Defense Federal Acquisition Regulations Supplement, 163–165 False Claims Act cases, 69 Defense Federal Acquisition Regulations Supplement (DFARS), 163–165 Delaware cryptography patent infringement, 135 event data recorder privacy protection, 119t genetic information privacy law, 154t identity theft laws, 68 Online Privacy and Protection Act, 80 social media privacy protection, 118 Deloitte Touche Tohmatsu, 228b Denial of service (DoS), 23, 65. See also Distributed denial of service Denmark cryptography laws, 138, 143t Data Protection Act (2018), 143t Dennis, United States v. (2001), 65 Department of ___. See name of department Derivative lawsuits, 109–110 DeWine, Mike, 65 DFARS (Defense Federal Acquisition Regulations Supplement), 163–165 DHHS. See Health and Human Services Department DHS. See Homeland Security Department Diaz, People v. (2013), 120 Digital assistant privacy issues, 117 Digital forensics CLOUD Act (2018), 151–152 cryptography breach detection, 127 cybersecurity law program component, 197f, 198, 200f, 205–206, 281t digital best evidence rule, 145–146, 205 digital chain of custody, 146, 205 digital data admissibility in court, 147 digital evidence spoliation, 147–148, 205 digital forensics lead role, 202 expert witnesses, 148b, 149, 212b forensic toolkits, 212, 279t Fourth Amendment rights, 145, 148–149 legal aspects, 144–150 policies, 205–206 preservation orders, 144–145, 205 search and seizure, 145, 148–149, 206

APEC Cross-Border Privacy Rules System, 252–254, 254f, 254t arbitration, 42, 42b automated license plate reader, 120–121, 121t big data implications, 238–239 biometrics, 44, 152–154, 153t cloud computing implications, 239–240 common law duty, 54–55 cryptography for. See Cryptography cybersecurity law program component, 197, 197f, 200f, 204, 205, 281t data breach calculators, 224, 225t data breach litigation, 105–111 data breach notification laws. See Data breach notification laws data breach worksheet, 224, 224t data compliance lifecycle, 115, 116t data destruction, 19 data disposal laws, 115, 116t data erasure laws, 80 data loss prevention systems, 24, 116 data theft, 16t, 19, 31t, 42 digital assistant, 117 dispositive motions, 43–44, 44–45t duty of care doctrine, 48–52 electronic wiretap laws, 116 event data recorder, 118–120, 119–120t evidentiary. See Evidence, digital failure to act doctrine, 52–54 GDPR, 78, 100, 102–105, 102f, 103–104t genetic information, 154, 154t healthcare, 80–87, 82–84t, 86t, 88–89t, 95, 154, 172–173, 204 hosting personal data, 17b personal liability, 109–110, 112–115 policies, 204, 205 preservation orders, 144–145, 205 reasonable person doctrine, 54 social media, 117–118, 117–118t summary judgments, 46 tribal, 90 Data Protection Act (France), 100t Data Protection Act (UK), 100t Data Protection Directive (1995, EU), 265 Data Protection Laws of the World (DLA Piper), 92, 99 Data Retention Directive (2006, EU), 265 Data Security and Breach Notification Act (2015), 95 DDoS (distributed denial of service), 16t, 65 290

EDR (event data recorder) privacy, 118–120, 119t, 120t Education privacy protection, 25, 87t, 167–168 school cyber bullying policies and sanctions, 68–69 Education Department, 167 Egypt, UN Universal Cybersecurity Legal Framework in, 262 EHR (Electronic Health Record) access, 85 E.I. DuPont de Nemours, 14 Election Security Act (2019), 66 Election Security Assistance Act (proposed), 66 Election Technology Research Act (2019), 66 Electronic Commerce Directive (2000, EU), 265 Electronic Communications Privacy Act (ECPA, 1986), 57, 88t, 116, 152 Electronic Health Record (EHR) access, 85 Electronic signatures, 170–171, 172f, 251 Electronic wiretap laws, 116 Elliptic curve algorithms, 129t Email, preservation orders, 144–145 Employees. See Personnel EnCase Forensic, 212, 279t ENCRYPT (Ensuring National Constitutional Rights for Your Private Telecommunications) Act, 152 Encryption. See Cryptography Enforcement. See Cyberlaw enforcement; Punishment and penalties ENISA (European Union Agency for Network and Information and Security), 166–167, 265 Enron, 178 Ensuring National Constitutional Rights for Your Private Telecommunications (ENCRYPT) Act, 152 Entertainment Software Rating Board (ESRB) Kids Seal, 78 Equifax, 25–26, 44, 47t ESRB (Entertainment Software Rating Board) Kids Seal, 78 Estonia armed conflict law in cyberwar, 260 cryptography laws, 138 Ethical hacking, 53, 242 EUDRALEX Rules Governing Medicinal Products in the European Union, 171 European Cybercrime Centre (EC3), 265 European Union (EU) Agency for Network and Information and Security (ENISA), 166–167, 265

security consultant-client privilege, 149–150 state laws, 150, 151t Digital Millennium Copyright Act (DMCA), 142t, 240 Digital search warrants, 137 Directive on Security of Network and Information Systems (NIS Directive, 2016), 165–166, 165f, 265 Directorate of Defense Trade Controls (DDTC), 132, 142t Directors and officers (D&O) insurance, 113 Discover, 177 Disney, 79t Dispositive motions, 40, 41f, 43–44, 44–46t Distributed denial of service (DDoS), 16t, 65 Dittman v. UPMC (2018), 24, 55 DLA Piper, Data Protection Laws of the World, 92, 99 DLS (data loss prevention) systems, 24, 116 DMCA (Digital Millennium Copyright Act), 142t, 240 Dodd-Frank Wall Street Reform and Consumer Protection Act (2010), 98, 114 Doe, United States v. (1988), 140 DOJ. See Justice Department Domain names, 23 Doren Mayhew, 225t DoS (denial of service), 23, 65. See also Distributed denial of service Driver Privacy Act (2015), 89t, 120 Driver’s Privacy Protection Act (DPPA, 1994), 88t DSW Shoe Warehouse, Inc., 220 Duty of care doctrine duty to accurately disclose safeguards, 48, 51 duty to protect information, 48, 51–52 duty to provide reasonable security, 39, 48, 49 duty to reveal security breaches, 48, 49–50 shareholder derivative lawsuits for breach, 109–110 state-based laws, 52 US cybersecurity law, 39, 48–52 E eBay, 45t EC3 (European Cybercrime Centre), 265 eClinicalWorks, 115 Economic loss doctrine, 24, 55 ECPA (Electronic Communications Privacy Act, 1986), 57, 88t, 116, 152 eDiscovery software, 208–209, 208b, 274t 291

failure to act duty, 52 failure to warn duty, 52, 53 Good Samaritan laws, 52, 53–54 US cybersecurity law, 52–54 Fair and Accurate Credit Transactions Act (FACTA, 2003), 88t, 115 Fair Credit Reporting Act (FCRA, 1970), 87t, 97– 98 Fair Debt Collection Practices Act (2010), 89t False Claims Act (FCA), 69, 85b, 114 Family Educational Rights and Privacy Act (FERPA, 1974), 25, 87t, 167–168 FAR (Federal Acquisition Regulation), 163 FAST Act-Driver Privacy Act (2015), 89t, 120 FBI (Federal Bureau of Investigation), 27, 58, 60, 89, 141, 149b, 259, 275t FCA (False Claims Act), 69, 85b, 114 FCRA (Fair Credit Reporting Act, 1970), 87t, 97– 98 FDA (Food and Drug Administration) Code of Federal Regulations, Title 21, Part 11, 25, 170–171, 172f FDPA (Federal Data Protection Act, Germany), 100t Federal Acquisition Regulation (FAR), 163 Federal Aviation Administration (FAA), 244 Federal Bureau of Investigation (FBI), 27, 58, 60, 89, 141, 149b, 259, 275t Federal Computer Security Act (2015), 39, 57 Federal Computer Systems Protection Act (1979), 38, 62 Federal cyberlaw enforcement children’s privacy laws, 77–80, 79t, 88t, 205 computer crime statutes, 39, 56–59, 59t, 64–65, 75 data breach notification laws, 95–98 denial of service laws, 65 future legislation, 242–244 healthcare data privacy protection, 80–87, 82– 84t, 86t, 88–89t identity theft laws, 75 Internet of Things legislation, 238 jurisdiction, 28f, 29–30 overview, 27 privacy law summary, 87–89, 87–89t procedural law, 59–62, 60–61t, 208–209 ransomware laws, 64–65 US Code, description of, 58–59, 59t Federal Cybersecurity Workforce Assessment Act, 244

ALCOA Model, 171, 172f Brexit cybersecurity impacts, 264–265 Budapest Convention on Cybercrime, 264 Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data, 264 Cybersecurity Act (2018), 166–167 data localization laws, 255 Data Protection Directive, 265 Data Retention Directive, 265 Electronic Commerce Directive, 265 European Cybersecurity Certificates, 167 European Union Cybersecurity Act, 166–167 G7 cybercrime agreement, 265–266, 266t GDPR. See General Data Protection Regulation NATO Technical Arrangement on cyber defense with, 261–262 Security of Network and Information Systems Directive, 165–166, 165f, 265 Europol, 265 Eventbrite, Inc., 43 Event data recorder (EDR) privacy, 118–120, 119t, 120t Evidence, digital admissibility in court, 147 best evidence rule, 145–146, 205 chain of custody, 146, 205 eDiscovery software, 208–209, 208b, 274t expert witnesses, 148b, 149, 212b Fourth Amendment rights, 145, 148–149 preservation orders, 144–145, 205 privileged information, 149–150 procedures for compliance, 206–207t spoliation, 147–148, 205 Executive Orders, 245–246t The Expert Institute, 148b Expert witnesses, 148b, 149, 212b Exploit kit sales, 16t Explore Talent, 79t Export cryptography control laws, 130–131, 204 Extradition, 30, 30–31t F FAA (Federal Aviation Administration), 244 Facebook, 27, 44, 50, 117 FACTA (Fair and Accurate Credit Transactions Act, 2003), 88t, 115 Fahd, Muhammad, 30t Failure to act doctrine 292

automated license plate reader privacy protection, 121t computer crime laws, 62 data breaches, 94b digital forensics laws, 151t genetic information privacy law, 154t social media privacy protection, 117t Folino v. Hines (2018), 147b Food and Drug Administration (FDA) Code of Federal Regulations, Title 21, Part 11, 25, 170–171, 172f Forensic Toolkit (FTK)®, 212, 279t Forensic toolkits, 212, 279t Foreseeable harm, 23–24, 48 Forgone conclusion rule, 137 For the People Act (2019), 66 Fortinet, 114–115 Forum of Incident Response and Security Teams (FIRST), 130b Fourth Amendment data breach litigation, 107 digital assistant privacy issues, 117 digital forensics, 145, 148–149 encrypted data, 136–137 event data recorder privacy, 120 preservation order implications, 145 text of, 137 France Basel III Accord, 160–161, 160–161t cryptography laws, 138, 142, 143 Data Protection Act, 100t G7 cybercrime agreement, 265–266, 266t GDPR violations, 103–104t Fraud scams advance fee fraud, 16t Basel III Accord, 160t data breach notification law to prevent, 27 extradition for, 31t as personal cybercrime, 19 securities fraud lawsuits, 110–111 US cybersecurity law on, 39 FRC (Financial Reporting Council, UK), 229t Freedom of Information Act, 54 Fresenius Medical Care North America, 82t FTC. See Federal Trade Commission FTCA (Federal Trade Commission Act, 1994), 88t FTK (Forensic Toolkit)®, 212, 279t Future cybersecurity law developments armed conflict law in cyberwar, 260–261 Brexit and EU cybersecurity impacts, 264–265 constitutionality issues, 236

Federal Data Protection Act (FDPA, Germany), 100t Federal Financial Institutions Examination Council (FFIEC), 25, 168 Federal Information Security Management Act (FISMA, 2002), 25, 168–169 Federal Information Security Modernization Act (2014), 39, 57 Federal Insurance Co., 220 Federal Recovery Acceptance Inc., 220–221 Federal Recovery Services, Inc., 220–221 Federal Trade Commission (FTC) children’s privacy protection, 78, 79t as cybercrime reporting agency, 275t data breach enforcement, 95, 96b, 97–98, 113– 114 data disposal rule, 115 Division of Privacy and Identity Protection, 29 jurisdiction challenges, 29–30, 29b Federal Trade Commission Act (FTCA, 1994), 88t FedEx, 223 Feinstein, Dianne, 149b Feinstein Institute for Medical Research, 81 FERPA (Family Educational Rights and Privacy Act, 1974), 25, 87t, 167–168 FFIEC (Federal Financial Institutions Examination Council), 25, 168 Fiat Chrysler, 53, 192 Fifth Amendment encrypted data, 137–138, 140–141 forgone conclusion rule, 137 text of, 138 Financial industry. See Banking and financial industry Financial Industry Regulatory Authority (FINRA), 25, 43, 141–142t, 169–170 Financial Institutions Reform Recovery Act, 114 Financial Modernization Act (1999). See GrammLeach-Bliley Act Financial Reporting Council (FRC, UK), 229t Finland, cryptography laws in, 138 FINRA (Financial Industry Regulatory Authority), 25, 43, 141–142t, 169–170 FIRST (Forum of Incident Response and Security Teams), 130b First Amendment, 117, 236 FISMA (Federal Information Security Management Act, 2002), 25, 168–169 F letters, 144–145 Florida 293

Federal Data Protection Act, 100t G7 cybercrime agreement, 265–266, 266t Institut der Wirtschaftsprüfer in Deutschland e.V., 229t GitHub, 17b GLBA (Gramm-Leach-Bliley Act, 1999), 88t, 95– 97, 111 Gonzalez, Albert, 15b, 32 Good Manufacturing Practice, 171 Good Samaritan laws, 52, 53–54 Google, 53, 79t, 103t, 117 Gramm-Leach-Bliley Act (GLBA, 1999), 88t, 95– 97, 111 Greece cryptography laws, 138 data localization laws, 256t Gribodemon, 32 Group of 7. See G7 Guardians of Peace, 33 Guccifer, 15 Guidance Software, 279t GxP Readiness Checklist, 171, 172f

G7 cybercrime agreement, 265–266, 266t international cyberlaw harmonization, 248– 258, 254f, 254t, 256–257t international cybersecurity treaties, 263–264 legislation, 236, 242–244 maritime-cybersecurity law alignment, 258– 259 NAIC Model Cybersecurity Law, 246–248, 247f NATO cyberlaw stance, 261–262 outer space cybersecurity law, 259–260 overview, 235, 267 technology impacts, 236, 237–242 UN Universal Cybersecurity Legal Framework, 262–263, 262–263t US foreign policy on cybersecurity, 244–246, 245–246t US legislation, 242–244 G G7 (Group of Seven) cybercrime agreement, 265–266, 266t data breach laws, 99–100, 100t defined, 99 GAAP (generally accepted accounting principles), 50 Ganias; United States v. (2016), 148 Gasperini, Fabio, 31t GDPR. See General Data Protection Regulation GDPRkids™ Privacy Assured Program, 78 Gemalto, 225t General Data Protection Regulation (GDPR), 102– 105, 102f, 103–104t Brexit impacts, 265 children’s privacy protection, 78 General Electric, 253 Generally accepted accounting principles (GAAP), 50 Genesco, Inc. v. Visa U.S.A., Inc. (2013), 149 Genetic information privacy laws, 154, 154t Georgia (state) data breaches, 94b digital forensics laws, 150, 151t genetic information privacy law, 154t Georgia (country), armed conflict law in cyberwar in, 260 Germany Basel III Accord, 160–161, 160–161t cryptography laws, 138 data localization laws, 256t

H Hacket, Rogelio, 14 Hacking, 16t. See also Cybercrimes Hacktivism. See Cyber activism Haga Hospital, 104t Hancock v. State (1967), 38 Harderman, 32 Hard Rock Hotel and Casino, 89b Harm data breach litigation requirements, 105–106, 108–109 data breach notification standards, 94 dispositive motions for lack of, 44 foreseeable, 23–24, 48 The Hartford, 277t Hasbro, 80 Hash algorithms, 129t Hawaii, social media privacy protection in, 117t Health and Human Services Department (DHHS) encryption requirements, 141t healthcare data privacy protection, 80–82, 84– 85, 173 law enforcement disclosure guidelines, 84 Healthcare industry accreditation, 173–175, 174–175t, 174f ALCOA Model, 171, 172f 294

SBDC Cyber Strategy, 244 Hong Kong cryptography laws, 142 data localization laws, 256t extradition from, 30t Housh v. Peth (1956), 76 Huawei, 130b Huddleson, Taylor, 15 Hungary, cryptography laws in, 133t, 138

data privacy protection, 80–87, 82–84t, 86t, 88–89t, 95, 154, 172–173, 204 dispositive motions, 45t regulatory enforcement, 25 state enforcement, 27b, 82 successful data breach lawsuits, 47t Health Information Technology for Economic and Clinical Health (HITECH) Act (2009), 25, 85, 89t, 172 Health Insurance Portability and Accountability Act (HIPAA) Administrative Simplification provisions, 173 data breach notification rule, 85–86, 89t, 95 data privacy protection, 80–86, 82–84t, 86t, 88–89t genetic information coverage lack, 154 HITECH Act and, 85, 172 law enforcement disclosure, 84, 84t overview, 173 Privacy Rule, 80–82 regulatory enforcement, 25 risk assessment for breach, 86t Heartland Payment Systems, Inc., 110 Heimdal Security, 129 Hewlett-Packard, 253 HIPAA. See Health Insurance Portability and Accountability Act HITECH (Health Information Technology for Economic and Clinical Health) Act (2009), 25, 85, 89t, 172 Hofmann, Mignon, 112b Holmes, Stephen, 110 Home Depot, 47t Homeland Security Department (DHS) bug bounty pilot program, 58 Cyber Hunt and Incident Response Teams Act (2019), 64–65 Cybersecurity and Infrastructure Security Agency, 58, 161–162, 243 cybersecurity information sharing, 54 cybersecurity workforce assessment, 57 data breach enforcement, 95 FISMA information security policy authority, 169 maritime cybersecurity risk assessment model, 243 maritime self-defense or defense of others guidance, 258 national cybersecurity and communications integration center, 57, 243 risk exposure reporting, 58

I IAASB (International Auditing and Assurance Standards Board), 229t Ibiwoye, Damilola Solomon, 31t IBM, 220, 224b, 225t, 253 ICAI (Institute of Charted Accountants of India), 229t ICC (International Chamber of Commerce), 43 Identity impersonation, 19 Identity theft cybercrimes of, 14–15, 19 data breach notification law to prevent, 27 extradition for, 31t failure to act doctrine, 52 federal laws, 75 forfeiture programs, 68 from outer space, 259b passport programs, 68 punishment and penalties for, 32b red flag rules, 98 restitution programs, 68 state laws, 67–68 taxonomy, 16t Identity Theft and Assumption Deterrence Act (1998), 67 Identity Theft Penalty Enhancement Act (2004), 67 IDS (intrusion detection systems), 24 IDW (Institut der Wirtschaftsprüfer in Deutschland e.V.), 229t IEEE (Institute of Electrical and Electronic Engineers) Cybersecurity Standards, 190 IFAC (International Federation of Accountants), 229t IIA (Institute of Internal Auditors), 229t IKeepSafe (Internet Keep Safe Coalition), 78, 205 Illinois Biometric Information Privacy Act, 44, 153t election security, 66 social media privacy protection, 118 295

Intentional cybercrimes against persons, 23 Intentional torts, 22 Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice, 95 Internal Revenue Service (IRS), 142t, 243 International Auditing and Assurance Standards Board (IAASB), 229t International Chamber of Commerce (ICC), 43 International cyberlaw enforcement APEC Cross-Border Privacy Rules System, 252–254, 254f, 254t arbitration, 43 CPTPP cybersecurity framework, 250–252 cryptography laws, 129–138, 142–144, 143t, 204 cyberbalkanization laws, 255 data breach laws, 99–101, 99f, 100t, 103 data localization laws, 255, 256–257t extradition, 30, 30–31t harmonization of laws, 248–258, 254f, 254t, 256–257t outer space cybersecurity law, 259–260 overview, 27 privacy laws, 92–93, 249, 252–254, 254f, 254t. See also General Data Protection Regulation Singapore Payment Services Act, 257–258 trade pacts and, 249 treaties on cybersecurity, 263–264 US-Mexico-Canada Agreement, 254–255 International Cyber Policy Oversight Act (2015), 243 International Federation of Accountants (IFAC), 229t International Organization for Standardization (ISO) Basel III Accord compliance, 161 ISO/IEC 27001:2013, 49, 180f, 181 ISO/IEC 27002:2013, 180f, 181, 214 ISO/IEC 27003:2010, 182 ISO/IEC 27004:2016, 182 ISO/IEC 27014:2013, 182 ISO/IEC TR 27016:2014, 182 ISO/IEC 27017:2015, 182–183 ISO/IEC 27018:2019, 183 ISO/IEC 27032:2012, 183 ISO/IEC 27033:2015, 183–184 ISO/IEC 27034:2011, 184 ISO/IEC 27035:2016, 184–185 ISO/IEC 27036:2014, 185

IMDA (Infocomm Media Development Authority), 254t Immigration and Customs Enforcement, US, 275t Import cryptography control laws, 132–133, 133t, 204 Inchoate cybercrimes, 19–20 Incident response plans, 19–20 India Basel III Accord, 160–161, 160–161t cryptography laws, 143 data localization laws, 256t Institute of Charted Accountants of India, 229t Personal Data Protection Bill, 101 Indian Gaming Regulatory Act (1998), 90 Indonesia, data localization laws in, 256t Industry self-regulated oversight, 25, 189–192 Infamous cybercrimes, 14–15 Infocomm Media Development Authority (IMDA), 254t Information Technology Examination Handbook (IT Handbook), 168 Information Technology Infrastructure Library (ITIL), 206 Information Technology Service Management (ITSM), 206 Injury-in-fact requirements, 106 InMobi, 79t Insectra, 279t Institut der Wirtschaftsprüfer in Deutschland e.V. (IDW), 229t Institute of Charted Accountants of India (ICAI), 229t Institute of Electrical and Electronic Engineers (IEEE) Cybersecurity Standards, 190 Institute of Internal Auditors (IIA), 229t Institutional cybercrimes, 19 Instrumentation, Systems, and Automation Society (ISA) standards, 190–191, 190f Insurance cyber liability insurance, 197f, 198, 200f, 206, 214–224, 216t, 223f, 277t, 281t directors and officers, 113 insurance risk managers, 201f, 202 NAIC Model Cybersecurity Law, 246–248, 247f provider list, 277t Insurance Data Security Model Law (2017), 246– 248, 247f Intel, 132b Intellectual property, 14, 240, 249. See also Patent infringement 296

Japanese Institute of Certified Public Accountants, 229t UN Universal Cybersecurity Legal Framework, 262 Japan Credit Bureau (JCB), 177 Japanese Institute of Certified Public Accountants (JICPA), 229t Japan Institute for Promotion of Digital Economy and Community (JIPDEC), 254t JCB (Japan Credit Bureau), 177 JCPenney, 14 Jeep, 53 JetBlue Airways, 14 Joint Commission on the Accreditation of Healthcare Organizations (JCAHO), 25, 173–175, 173b, 174–175t, 174f JPMorgan Chase, 259 Judicial Redress Act (2015), 89t JumpStart, 80 Jurisdiction challenging, 29–30 cryptography patent infringement, 134–135 cybercrime trial courts, 28f cybersecurity law, 28–31 defined, 28 extradition, 30, 30–31t federal cyberlaw enforcement, 28f, 29–30 GDPR, 103 lack of personal, 44 lack of subject matter, 44 state cyberlaw enforcement, 28f, 44, 62–63 tribal, 89–90 Justice Department (DOJ) Big Data: Seizing Opportunities, Preserving Values study, 238 Computer Crime and Intellectual Property Section, 27 cyberlaw enforcement, 27, 60, 81–82, 85 search and seizure rule, 60 State Bureau of Investigation funding, 26

ISO/IEC 27037:2012, 185 security standards, 180–181f, 180–185 International Space Station, 259, 259b International Traffic in Arms Regulations (ITAR), 132, 142t Internet Brands, Inc., 53 Internet Crime Complaint Center, 275t, 278t Internet Keep Safe Coalition (iKeepSafe), 78, 205 Internet of Things (IoT), 167, 237–238 Internet of Things (IoT) Cybersecurity Improvement Act (2017), 238 Intrusion detection systems (IDS), 24 Iowa, identity theft laws in, 68 Iran armed conflict law in cyberwar, 260 cryptography laws, 133t Ireland, cryptography laws in, 138 IRS (Internal Revenue Service), 142t, 243 ISA (Instrumentation, Systems, and Automation Society) standards, 190–191, 190f ISO. See International Organization for Standardization Israel cryptography laws, 133t, 142 extradition from, 31t Italy cryptography laws, 138 G7 cybercrime agreement, 265–266, 266t Italian Privacy Code, 100t ITAR (International Traffic in Arms Regulations), 132, 142t IT Handbook (Information Technology Examination Handbook), 168 ITIL (Information Technology Infrastructure Library), 206 ITSM (Information Technology Service Management), 206 J Jane Doe No. 14 v. Internet Brands, Inc., DBA Model Mayhem (2011), 53 Japan Act on Protection of Personal Information, 100t APEC Cross-Border Privacy Rules System, 252, 253, 254t CPTPP cybersecurity framework, 250 cryptography laws, 138 G7 cybercrime agreement, 265–266, 266t

K Kansas, identity theft laws in, 68 Kazakhstan cryptography laws, 133t data localization laws, 256t Kelihos botnet, 30t Kelly, Daniel, 15 Kentucky, identity theft laws in, 68 KidSAFE (Samet Privacy), 78 297

Kolon Industries, 14 Kopçak, Onur, 32b

M Maersk, 223 Maine, automated license plate reader privacy protection in, 121t Malaysia CPTPP cybersecurity framework, 250 data localization laws, 256t extradition from, 31t Malta, cryptography laws in, 138 Malware, 16t, 30–31t, 32. See also Ransomware Mapping legal requirements to controls, 212, 213t Maritime Administration (US), 258b Maritime law cybersecurity law alignment, 258–259 maritime cybersecurity risk assessment model, 243 UN Convention on the Law of the Sea, 258– 259, 260 Marriott International, 104 Maryland, identity theft laws in, 68 Mascheroni, Pedro Leonardo, 38b Massachusetts CIPO law, 92t cryptography laws, 139 genetic information privacy law, 154t social media privacy protection, 117t Massachusetts General Hospital, 81 Massachusetts Institute of Technology (MIT), 39 Master Card, 177, 253 Mattel, 80 McClain, Anne, 259b McNeal v. Navajo Nation (2019), 90 Mediation law, 40, 41–42, 41f Medical Informatics Engineering, 27b Medicinal Products for Human and Veterinary Use, 171 Mens rea, 20, 21f Merck, 222b Meta Financial Group, 227t Meta tagging, 209–210, 210t Mexico APEC Cross-Border Privacy Rules System, 252, 253 CPTPP cybersecurity framework, 250 data localization laws, 256t US-Mexico-Canada Agreement, 254–255 Michigan digital forensics laws, 150, 151t identity theft laws, 68

L LabMD, 29–30, 29b Labor Department, 113 Latvia, cryptography laws in, 138 Lavabit LLC, 141 Law and regulations library, 197f, 198, 209–211, 210–211t. See also Library Law enforcement agencies Brexit and EU, 265 cybercrime reporting agencies, 275t digital forensics, 127, 144–152 encryption key disclosure to, 140–141, 143 healthcare data disclosure, 84, 84t technology developments and, 237 Law of the sea. See Maritime law Legal and regulatory update subscription, 210, 211t Lewert v. P.F. Chang’s China Bistro, Inc. (2016), 106 LexisNexis, 210 LexisNexis Risk Solutions, 110 Library cyberlaw librarians, 201, 201f Information Technology Infrastructure Library, 206 law and regulations library, 197f, 198, 209– 211, 210–211t legal and regulatory update subscription, 210, 211t meta tagging, 209–210, 210t privacy law library, 205 LifeLock Inc., 113–114 Line, 129 LinkedIn, 44, 46t, 117 Lithuania cryptography laws, 138 GDPR violations, 104t Local cyberlaw enforcement chief privacy officers, 92 jurisdiction, 28f overview, 26 Logikcull.com, 274t Lone Star Bank v. Heartland Payment Systems (2013), 24 Luxembourg, cryptography laws, 138 Lyft, 241 298

National Cybersecurity Protection Advancement Act (2015), 243 National Defense Authorization Act, 114 National Highway Traffic Safety Administration (NHTSA) standards, 191–192 National Indian Gaming Commission, 90 National Initiative for Cybersecurity Education Cybersecurity Workforce Framework (NICE Framework), 188, 244 National Institute of Standards and Technology (NIST) authority of director, 244 Basel III Accord compliance, 161 cryptography standards, 128, 139 cyber hygiene best practices, 243 Cybersecurity Framework, 191 cybersecurity special publications, 180f, 185– 188, 186f election security standards, 66 Framework for Improving Critical Infrastructure Cybersecurity, 243 HIPAA Security Rule Toolkit, 86 Small Business Cybersecurity Act (2018), 58 Special Publication 800-34 Rev. 1, 186 Special Publication 800-40 Rev. 3, 186 Special Publication 800-53 Rev. 5, 49, 186 Special Publication 800-55 Rev. 1, 187 Special Publication 800-61 Rev. 2, 187 Special Publication 800-88 Rev. 1, 187 Special Publication 800-100, 187 Special Publication 800-114 Rev. 1, 187 Special Publication 800-125, 188 Special Publication 800-160 Vol. 1, 188 Special Publication 800-171, 164 Special Publication 800-171 B, 188 Special Publication 800-181, 188 National Science Foundation (NSF), 66 National Security Act (1947), 243 National Security Agency (NSA), 132 National Union Fire Insurance Co., 220, 221 NATO. See North Atlantic Treaty Organization NCSL (National Conference of State Legislatures), 65, 67 Nebraska, social media privacy protection in, 118 Negligence cyber liability insurance exclusion for, 214b defined, 22 health data privacy protection, 85 penalties and damages for, 24, 32–33, 55 reasonable person doctrine, 54 Neiman Marcus Group LLC, 105–106, 114

ransomware laws, 64t Microsoft, 14, 52, 209, 212 Minnesota Plastic Card Security Act (2007), 52 social media privacy protection, 118t Minors’s privacy laws. See Children’s privacy laws Misrepresentation duty to accurately disclose safeguards to avoid, 48, 51 False Claims Act prohibiting, 69, 85b, 114 Mississippi, identity theft laws in, 68 Missouri, digital forensics laws in, 151t MisterTango UAB-Payment Processor, 104t Model Mayhem, 53 Model State Computer Crimes Code, 62 Moldova, cryptography laws in, 133t Mondelez International, Inc. v. Zurich American Insurance Company (2018), 222 Montana automated license plate reader privacy protection, 121t identity theft laws, 68 social media privacy protection, 118 Morocco, cryptography laws in, 133t Morris, Robert Tappan, 39 Morris, United States v. (1991), 39 Move v. Zillow (2016), 148 Mrs. Fields, 79t Municipal code enforcement. See Local cyberlaw enforcement Musical.ly (Tik Tok), 79t Musienko, Aleksandr, 30–31t MyFitnessPal, 42b N NanoCore, 15 NASA, 69, 259 National Academy of Engineering, 39 National Aerospace Standard 9933, 191 National Association of Insurance Commissioners (NAIC) Model Cybersecurity Law, 246– 248, 247f National Conference of State Legislatures (NCSL), 65, 67 National Cybersecurity Preparedness Consortium Act (2016), 244 National Cybersecurity Protection Act (2014), 39, 57 299

NIST. See National Institute of Standards and Technology NoMoreClipboard, 27b North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP), 25, 176–177, 176f North Atlantic Treaty Organization (NATO) Cooperative Cyber Defense Centre of Excellence, 261 cyberlaw stance, 261–262 Industry Cyber Partnership, 262 Technical Arrangement on cyber defense, 261– 262 North Carolina, digital forensics laws, 151t North Korea, cyberbalkanization laws, 255 Norway, cryptography laws, 138 NotPetya attacks, 222, 222b, 223 NSA (National Security Agency), 132 NSF (National Science Foundation), 66 Nucor Corp. v. Bell (2008), 212b

NERC (North American Electric Reliability Corporation) Critical Infrastructure Protection (CIP), 25, 176–177, 176f NetCracker Technology Corp., 115 NetDiligence, 218–219, 225t Netflix, 134 Netherlands, the cryptography laws, 138 extradition from, 31t GDPR violations, 104t Scientific and Technological Cooperation Agreement, 264 Netwrix Auditor, 211t Nevada cryptography laws, 139 digital forensics laws, 150, 151t identity theft laws, 68 payment card data breach law, 52 New Hampshire, automated license plate reader privacy protection in, 121t New Jersey computer crime laws, 62 event data recorder privacy protection, 119t New Mexico, identity theft laws in, 68 New York data breaches, 94b digital forensics laws, 150, 151t genetic information privacy law, 154t ransomware laws, 64 SHIELD Act, 153t social media privacy protection, 118t New York-Presbyterian Hospital, 83t New Zealand CPTPP cybersecurity framework, 250 cryptography laws, 138 data localization laws, 256t Nextpoint, Inc., 274t NHTSA (National Highway Traffic Safety Administration) standards, 191–192 NICE Framework (National Initiative for Cybersecurity Education Cybersecurity Workforce Framework), 188, 244 Nigeria cryptography laws, 143t data localization laws, 257t NITDA Data Protection Regulation (2019), 143t privacy laws, 92 NIS Directive (Directive on Security of Network and Information Systems, 2016), 165– 166, 165f, 265

O Oath, Inc., 79t OECD (Organisation for Economic Co-operation and Development) Privacy Framework, 251 Office of Management and Budget (OMB), 169 Office of Personnel Management, 112, 227t Ohio CIPO law, 92t cyber reserve laws, 65 identity theft laws, 68 Oklahoma, identity theft laws in, 68 Olaniyi, Olayinka, 31t Oliphant v. Suquamish (1978), 90 OMB (Office of Management and Budget), 169 Operation Child Tracker, 80 Oregon data breaches, 94b event data recorder privacy protection, 119t Oregon Health & Science University, 83t Organisation for Economic Co-operation and Development (OECD) Privacy Framework, 251 Outer space cybersecurity law, 259–260 P P2 Commander, 279t Pakistan 300

USB attack simulation with, 18 whistleblowers. See Whistleblowers Peru CPTPP cybersecurity framework, 250 Personal Data Protection No. 29733 law, 101 Peters, Michael, 113–114 P.F. Chang’s v. Travelers Indemnity Co. (2014), 220 P.F. Chang’s China Bistro, Inc., 106, 220 Philadelphia Insurance Cos., 277t Phishing attacks, 16t, 45t, 67 Pinsent Masons, 230 PIPEDA (Personal Information Protection and Electronic Documents Act, Canada), 100t Plaintiffs, 17 Plastic Card Security Act (2007, Minn.), 52 Playdom, Inc., 79t Poland cryptography laws, 138 extradition from, 31t GDPR violations, 104t Portugal cryptography laws, 138 GDPR violations, 104t Preemptive liability protection, 113–114 Premera Blue Cross Customer Data Security Breach Litigation, In re (2017), 149–150 Preservation orders, 144–145, 205 Presidential Policy Directives, 245–246t PRIDE Voting Act, 66 Privacy Act (1974), 87t Privacy Compliance Scan, 211t Privacy protection automated license plate reader privacy protection, 120–121, 121t big data implications, 239 biometrics laws, 44, 152–154, 153t challenges of, 75, 122 children’s privacy laws, 77–80, 79t, 88t, 205 cloud computing implications, 239–240 common law of privacy, 76 constitutional rights, 76, 107, 117, 120 cybersecurity law program component, 197, 197f, 200f, 204, 205, 281t data breach laws and, 93–101, 103. See also Data breach notification laws data breach litigation and, 105–111 data disposal laws, 115, 116t defined, 76 digital assistant privacy issues, 117 dispositive motions, 46t

privacy laws, 92, 249 UN Universal Cybersecurity Legal Framework, 262 Palkon v. Holmes (2014), 109–110 Panin, Aleksandr Andreevich, 32 Passware, Inc., 279t Patco Constr. Co. v. People’s United Bank (2012), 24 Patent and Trademark Office (US), 142t Patent infringement cryptography, 133–136, 136t, 204 patent trolls, 134–135 Payment Card Industry Data Security Standard (PCI DSS), 25, 52, 114, 177–178, 177– 178t, 180, 180f PCAOB (Public Company Accounting Oversight Board), 226, 229t People v. See name of opposing party Personal cybercrimes, 19 Personal Data Notification and Protection Act (2015), 95 Personal Information Protection and Electronic Documents Act (PIPEDA, Canada), 100t Personal jurisdiction, lack of, 44 Personal liability CIOs and CISOs, 112 data and privacy protection, 109–110, 112–115 directors and officers insurance, 113 preemptive liability protection, 113–114 shareholder derivative lawsuits, 109–110 whistleblower protections against retaliation, 114–115 Personal use exemption, 138, 204 Personnel accountability matrix, 202–203, 203t BYOD policy, 116, 187 chief information officer, 112 chief information security officers, 50, 112, 200, 201f, 202 chief legal officers, 201, 201f chief privacy officers, 91–92, 200, 201f, 202 cyberlaw analysts, 201f, 202 cyberlaw librarians, 201, 201f cybersecurity analysts, 201f, 202 cybersecurity law program, 197f, 198, 200– 201f, 200–203, 203t, 281t cybersecurity workforce assessment, 57, 244 digital forensics lead, 202 directors, 109–110, 113 insurance risk managers, 201f, 202 monitoring communications, 116 301

cyber tort, 24, 32–33, 55 data breach notification violations, 96 Defense Federal Acquisition Regulations Supplement, 165 digital forensics violations, 150 GDPR violations, 103–104, 103–104t healthcare data privacy violations, 81–82, 82– 84t, 85 history of early US, 39 international privacy laws, 92 NERC Critical Infrastructure Protection noncompliance, 177 PCI DSS noncompliance, 178 privacy notice violations, 111 whistleblower settlements, 85b, 114–115, 179

electronic wiretap laws, 116 event data recorder, 118–120, 119t, 120t False Claims Act, 85b federal privacy law summary, 87–89, 87–89t GDPR, 78, 100, 102–105, 102f, 103–104t genetic information privacy laws, 154, 154t healthcare data, 80–87, 82–84t, 86t, 88–89t, 95, 154, 172–173, 204 international laws, 92–93, 249, 252–254, 254f, 254t. See also General Data Protection Regulation personal liability, 109–110, 112–115 policies, 204, 205 policy compliance scanning technology, 211, 211t privacy law library, 205 privacy notice law, 111 regulatory enforcement, 25 social media, 117–118, 117–118t state Chief Information Privacy Officer laws, 91–92, 92t state privacy law summary, 91, 91t tribal lands, 89–90 Privacy Protection for Rape Victims Act (1978), 87t Privacy Vaults Online Inc. (PRIVO), 78 Private cybersecurity law, 22. See also Civil law Privilege, security consultant-client, 149–150 Procedural law rules of civil procedure, 60–62, 61t, 208–209 rules of criminal procedure, 60, 60t, 209 US cybersecurity, 59–62, 60–61t Progressive Insurance, 134 Prohibited or illegal content, 16t. See also Child pornography cybercrimes Promoting Good Cyber Hygiene Act (2015), 243 Property cybercrimes, 19 Protecting Cyber Networks Act, 243 Prudential Insurance Co., 147–148 Public Company Accounting Oversight Board (PCAOB), 226, 229t Public cybersecurity law, 22. See also Criminal law Punishment and penalties. See also Cyberlaw enforcement; Damages Basel III Accord, 161 Chemical Facility Anti-Terrorism Standards, 161–162, 162t children’s privacy violations, 77, 79t, 80 cryptography violations, 132, 136t, 143 cybercrime, 14–15, 32, 55–56, 56t, 59t, 62

Q Queen Mary University of London, School of International Arbitration, 230 R RACI (Responsible, Accountable, Consulted, and Informed) matrix, 202–203, 203t Ransomware act of war exclusions, 222 extradition for installing, 30t federal laws, 64–65 as personal cybercrime, 19 state laws, 62, 63–64, 64t taxonomy, 16t Reasonable person test, 24, 49, 54 Recall Total Information Management Inc. v. Federal Insurance Co. (2015), 220 Red flags rule, 97–98 Redressability, 106 Regulatory law defined, 22 encryption requirements, 141, 141–143t enforcement, 25–26 government industry oversight, 25 industry self-regulated oversight, 25, 189–192 law and regulations library, 197f, 198, 209– 211, 210–211t RELX Group’s LexisNexis, 210 Remijas, Hilary, 105–106 Remijas v. Neiman Marcus Group, LLC (2015), 106 Remote access trojan, 15 Residual risk, 216 302

SAFETI Act, 66 Sahurovs, Peteris, 31t Samet Privacy (kidSAFE), 78 Sanctioned penetration testing, 242 Sands Corporation, 89b Sandvig v. Sessions (2018), 236 San Francisco State University, 112b SANS Institute Security Policy Project, 204 Sarbanes-Oxley Act (SOX, 2002), 25, 114, 178– 179, 243 Saudi Arabia cryptography laws, 133t privacy laws, 92 SBA (Small Business Administration), 244 SBI (State Bureau of Investigation), 26 SCA (Stored Communications Act, 1986), 88t, 107, 151 Scareware, 16t Schellman & Company, 254t Scientific and Technological Cooperation Agreement (2012), 264 Scottrade, Inc., 44, 134 Seagate Technology, 136t Search and seizure data breach litigation, 107 digital assistant privacy issues, 117 digital forensics, 145, 148–149, 206 digital search warrants, 137 encrypted data, 136–138, 206 event data recorder privacy protection, 120, 120t forgone conclusion rule, 137 preservation orders, 145 rules of criminal procedure, 60t SEC. See Securities and Exchange Commission Secret Service, US, 58, 275t Secure Data Act (2018), 152 Securities and Exchange Commission (SEC) CF Disclosure Guidance: Topic No. 2 – Cybersecurity, 49–50 as cybercrime reporting agency, 275t cybersecurity rules, 170 data breach enforcement, 98, 113 duty of care standards, 48, 49–50 SOX compliance for organizations registered with, 25, 114, 178–179, 243 Securities Exchange Act (1934), 110 Securities fraud lawsuits, 110–111 Security consultant-client privilege, 149–150 Security incident and event monitoring (SIEM), 24 Security technologies

Responsible, Accountable, Consulted, and Informed (RACI) matrix, 202–203, 203t Retail Ventures v. National Union Fire Insurance Co. (2012), 220 Revlon, Inc., 227t Right to Financial Privacy (1978), 87t Riley v. California (2014), 107 Risk assessment Basel III Accord, 160–161t Chemical Facility Anti-Terrorism Standards, 161–162, 162–163t cyber liability insurance policy restrictions, 217 Federal Financial Institutions Examination Council audits, 168 Federal Information Security Management Act, 168–169 healthcare data privacy protection, 86t insurable vs. uninsurable risk, 222, 223f maritime cybersecurity, 243 residual risk, 216 River Cree Resort and Casino, 89b Romance scam, 16t Romania cryptography laws, 138 extradition from, 31t GDPR violations, 103t Russia armed conflict law in cyberwar, 260, 261b cryptography laws, 132, 133t, 142 cyberbalkanization laws, 255 data localization laws, 255, 257t election interference, 66 extradition from, 30 GPS spoofing attacks, 258b Russian and China Cyber Security Pact, 264 UN Universal Cybersecurity Legal Framework, 262 S SAFE Act, 66 Safeguarding Against the Breach of Personally Identifiable Information memorandum, 98 Safe Harbor, Identity, and Consent Service Provider, 78, 205 Safe harbor provisions children’s privacy laws, 78, 80, 205 cryptography, 139, 204–205 data breach notification laws, 94, 95, 139 defined, 78 303

South Korea cryptography laws, 138 data localization laws, 257t extradition from, 30t Sovereign immunity, 90, 108 SOX (Sarbanes-Oxley Act, 2002), 25, 114, 178– 179, 243 Space, cybersecurity law in, 259–260 Spain cryptography laws, 138 extradition from, 30t Spamming CPTPP cybersecurity framework on, 251–252 as cybertrespass to chattle, 23 extradition for, 30t privacy laws, 88t taxonomy, 16t Spec’s Family Partners, Ltd. v. Hanover Insurance Co. (2018), 113b Spokeo v. Robins (2016), 106 Spoliation, 147–148, 205 SPY Car Study Act (2015), 53 SpyEye, 31t, 32 Spyware, 23, 31t, 32 SQLite Forensics Explorer, 279t Stamos, Alex, 50 Standards, 179–192. See also CIS Critical Security Controls; International Organization for Standardization; National Institute of Standards and Technology; Payment Card Industry Data Security Standard defined, 159 industry-specific, 189–192 Standing, lack of, 44, 46, 105–106 Stanford University Hospitals and Clinics, 47t State Bureau of Investigation (SBI), 26 State cyberlaw enforcement anti-phishing laws, 67 automated license plate reader privacy protection, 121, 121t biometrics laws, 44, 152–154, 153t Chief Information Privacy Officer laws, 91–92, 92t children’s privacy laws, 80, 205 computer crime laws, 62–69, 64t, 278t cryptography laws, 129, 139, 204–205 cyber bullying laws, 68–69 cyber reserve laws, 65 data breach laws, 27, 27b, 94 data broker regulations, 239 data disposal laws, 115

arbitration for failure to exercise adequate, 42 data loss prevention systems, 24, 116 duty to accurately disclose safeguards, 48, 51 duty to provide reasonable security, 39, 48, 49 intrusion detection systems, 24 security incident and event monitoring, 24 Security testing, 240–242 Seleznev, Roman, 15b Senior legal counsel, 201, 201f Sergic, 104t Session hijacking, 23 Seymour, Donna, 112 Shareholder derivative lawsuits, 109–110 Sherpa Software, 274t SHIELD (Stop Hacks and Improve Electronic Data Security) Act (NY), 153t SIEM (security incident and event monitoring), 24 Silent cyber risk insurance, 223–224 Singapore APEC Cross-Border Privacy Rules System, 254t CPTPP cybersecurity framework, 250 cyber risk pool, 223 Payment Services Act (2019), 257–258 Slovakia, cryptography laws in, 138 Slovenia cryptography laws, 138 extradition from, 31t Small Business Administration (SBA), 244 Small Business Cybersecurity Act (2018), 58 Small Business Cyber Security Improvements Act (2016), 244 Snowden, Edward, 132, 141 Social engineering, 16t Social media election security and bots in, 66 privacy protection, 117–118, 117–118t Software. See also Malware; Ransomware; Spyware accounting standards for expenditures on, 50 eDiscovery, 208–209, 208b, 274t piracy of, 14 policy compliance scanning, 211, 211t security testing, 240–242 Sony, 47t, 221 Sony BMG Music, 79t South Africa, cryptography laws in, 138, 143 South Carolina genetic information privacy law, 154t Insurance Data Security Act, 248 South Dakota, computer crime laws in, 62 304

denial of service laws, 65 digital forensics, 150, 151t duty of care laws, 52 election security legislation, 66 event data recorder privacy protection, 119– 120, 119–120t genetic information privacy laws, 154, 154t healthcare data privacy protection, 27b, 82 identity theft laws, 67–68 Insurance Data Security Model Law adoption, 248 Internet of Things legislation, 238 jurisdiction, 28f, 44, 62–63 overview, 26–27 privacy law summary, 91, 91t ransomware laws, 62, 63–64, 64t social media privacy protection, 117, 117–118t State Department encryption requirements, 142t international cyberspace policy, 243 State of Modern Application, Research, and Trends of IoT Act, 238 State v. See name of opposing party Stich Fix, 227t, 228b Stop Hacks and Improve Electronic Data Security (SHIELD) Act (NY), 153t Stored Communications Act (SCA, 1986), 88t, 107, 151 Strengthening and Enhancing Cyber-capabilities by Utilizing Risk Exposure Technology Act (2018), 58 Strengthening Cybersecurity Information Sharing and Coordination in Our Ports Act (2015), 243 Strict liability torts, 22, 23–24 Stuxnet worm, 260 Subject matter jurisdiction, lack of, 44 Summary judgments, 46 SuperValue, Inc., 44, 45t Sweden, cryptography laws in, 138 Switzerland, cryptography laws in, 138 Symmetric key algorithms, 129t

TC Heartland v. Kraft Food Group Brands LLC (2018), 134–135 TCPA (Telephone Consumer Protection Act, 1991), 88t, 108 Technology big data, 238–239 cloud computing, 239–240 cybersecurity law program, 197f, 198, 200f, 208–212, 210–211t, 281t ethical hacking or sanctioned penetration testing, 242 forensic toolkits, 212, 279t future cybersecurity law development impacts of, 236, 237–242 Internet of Things, 167, 237–238 legal and regulatory update subscription, 210, 211t library meta tagging, 209–210, 210t policy compliance scanning, 211, 211t security. See Security technologies security testing, 240–242 software. See Software TecSec Inc., 136t Telegram, 129 Telephone Consumer Protection Act (TCPA, 1991), 88t, 108 Telephone Records and Privacy Protection Act (TRPPA, 2006), 88t Tennessee data breach notification laws, 94 identity theft laws, 68 Texas biometrics law, 153t cryptography patent infringement, 134–135, 134b data breaches, 94b digital forensics laws, 150, 151t healthcare data privacy protection, 82 ransomware laws, 64t Texas Instruments, 38 Thailand extradition from, 31t Personal Data Protection Act, 101 Theft of service, 16t Ticketfly LLC, 43 Tik Tok, 79t Tint Co., 79t Tiversa, 29–30 TJ Maxx, 15b TJX Company, 32, 109 Tort law

T Taiwan, Personal Data Protection Law, 101 TalkTalk, 15 Tallinn Manual on the International Law Applicable to Cyber Warfare, 260, 261 Tampa General Hospital, 47t Target Corp., 33, 47t, 106, 109, 114 305

UNCLOS (United Nations Convention on the Law of the Sea), 258–259, 260 Under Amour Inc., 42b Unicredit Bank, 103t Unified Compliance Framework® (UCF), 213 Union Bank of Switzerland (UBS), 42 Union Dime Savings Bank, 14 United Kingdom (UK) Brexit and EU cybersecurity impacts, 264–265 cryptography laws, 138, 143 Data Protection Act (2018), 100t Data Protection Directive, 265 Data Retention Directive, 265 Electronic Commerce Directive, 265 Financial Reporting Council, 229t G7 cybercrime agreement, 265–266, 266t GDPR violations, 104 United Nations Commission on International Trade Law (UNCITRAL) Model Law on Electronic Commerce, 250 Convention on the Law of the Sea (UNCLOS), 258–259, 260 Convention on the Use of Electronic Communications in International Contracts, 250 Division for Ocean Affairs and the Law of the Sea, 258 Universal Cybersecurity Legal Framework, 262–263, 262–263t United States v. See name of opposing party UnityPoint Health, 45 Universal Am. Corp. v. National Union Fire Ins. Co. (2013), 221 University of Illinois, 18b University of Mississippi Medical Center, 81 University of Pittsburgh Medical Center, 23b, 55 University of Texas MD Anderson Cancer Center, 82t USB (Universal Serial Bus) device cybercrimes, 18, 18b US Code, description of, 58–59, 59t US cybersecurity law. See also Federal cyberlaw enforcement; specific departments and laws Alternative Dispute Resolution, 40–46 ANZUS Treaty, 264 APEC Cross-Border Privacy Rules System, 252, 253, 254t armed conflict law in cyberwar, 260–261 common law duty, 54–55

cyber torts, 22–23, 32–33, 54, 60–62, 61t, 230, 276t defined, 22 intentional torts, 22 negligence, 22, 24, 32–33, 54, 55, 85, 214b precedents, 24 punishment for breaching, 24, 32–33, 55 reasonable person doctrine, 24, 54 rules of civil procedure, 60–62, 61t, 208–209 strict liability torts, 22, 23–24 Touchstone Medical Imaging, 82t Trade pacts, 249 Trans-Pacific Partnership (TPP) Cybersecurity Framework, 250–252 Travelers Indemnity Co., 220, 277t Travelers Property Casualty Co. v. Federal Recovery Services, Inc. (2015), 220–221 Treasury Department, 141t Treaties, cybersecurity, 263–264 Treaty on Principles Governing the Activities of States in the Exploration and Use of Outer Space, Including the Moon and Other Celestial Bodies, 259–260 Tribal jurisdiction, 89–90 Tripple S Management, 83t TRPPA (Telephone Records and Privacy Protection Act, 2006), 88t TrustArc, Inc., 211t, 254t TRUSTe’s Children’s Privacy Program, 78 Tunisia, cryptography laws in, 133t Turkey cryptography laws, 138, 143t data localization laws, 257t Protection of Personal Data, Law No. 6698, 143t 23andMe, 154 Tyco, 178 Tyson Foods, Inc. v. Bouaphakeo (2016), 108 U Uber, 45t, 47t, 241 UBS (Union Bank of Switzerland), 42 UCF (Unified Compliance Framework®), 213 Ukraine armed conflict law in cyberwar, 261b cryptography laws, 133t UNCITRAL (United Nations Commission on International Trade Law) Model Law on Electronic Commerce, 250 306

Virginia event data recorder privacy protection, 119t identity theft laws, 68 social media privacy protection, 118 Visa, 14, 149, 177 Vitrium, 225t Voice over Internet Protocol (VoIP) hacker, 14 Vtech, 79t

competing and overlapping, 236 criminal cyberlaw, 55–56, 56t, 58–59, 59–60t, 60, 62–69, 64t cryptography laws, 138 data breach laws, 100t data localization laws, 257t duty of care doctrine, 39, 48–52 failure to act doctrine, 52–54 federal computer crime statutes, 56–59, 59t, 64–65 foreign policy and, 244–246, 245–246t future legislation, 242–244 history of dispute resolution, 38–39 maritime self-defense or defense of others guidance, 258–259 overview, 37–69 private sector, 39 procedural law, 59–62, 60–61t public sector, 38 reasonable person doctrine, 54 satellite cyberattack, 259 state computer crime laws, 62–69, 64t successful data breach lawsuits, 47, 47t US and China Cyber Agreement, 264 US-Mexico-Canada Agreement, 254–255 US Munitions List (USML), 130, 132 Utah automated license plate reader privacy protection, 121t event data recorder privacy protection, 119t

W WA (Wassenaar Arrangement), 130–131, 133, 138 Warren, Samuel, 76 Washington biometrics law, 153t CIPO law, 92t cryptography laws, 139 event data recorder privacy protection, 119t payment card data breach law, 52 Wassenaar Arrangement (WA), 130–131, 133, 138 Website defacement, 19 WellPoint, 83t Wells Fargo, 42 Westlaw, 210 Whalen v. Michaels Stores (2008), 43 WhatsApp, 129 Whistleblower Protection Act, 114 Whistleblowers protection of, 113–115, 179 settlements and awards, 85b, 114–115, 179 White hat hackers, 53, 242 WikiLeaks, 132, 142 Wind River Systems, 132b WorldCom, 178 Worsham, State v. (2017), 120 Wyndham Worldwide, 29, 109–110 Wyoming, ransomware laws, 63, 64t

V VA. See Veterans Affairs Department Vazquez, Martha, 90 Venezuela, data localization laws in, 257t Venmo, 96b Vermont data broker regulations, 239 genetic information privacy law, 154t Veterans Affairs Department (VA), 86–87 Veterans Benefits, Health Care, and Information Technology Act (2006), 86–87 Viacom, 80 Viber, 129 Video Privacy Protection Act (VPPA, 1988), 88t Video Privacy Protection Act Amendments Act (2012), 89t Vietnam CPTPP cybersecurity framework, 250 data localization laws, 257t

X Xanga.com, 79t Y Yahoo!, 49, 50, 54, 105, 109b Y Combinator, 39 Yelp, 79t YouTube, 79t Yuryevich, Peter, 30t

307

Zurich American Insurance Co., 222, 277t Zurich Insurance v. Sony (2014), 221

Z Zappos.com, 42 Zapproved, Inc., 274t Zero-day attacks, 48, 259

308

309

Credits Kristen Noakes-Fry, ABCI, is Executive Editor at Rothstein Associates Inc. Previously, she was a Research Director, Information Security and Risk Group, for Gartner, Inc.; Associate Editor at Datapro (McGraw-Hill), where she was responsible for Datapro Reports on Information Security; and Associate Professor of English at Atlantic Cape College in New Jersey. She holds an M.A. from New York University and a B.A. from Russell Sage College. Cover Design and Graphics:

Sheila Kwiatek, Flower Grafix

eBook Design & Processing:

Donna Luther, Metadata Prime

Philip Jan Rothstein, FBCI, is President of Rothstein Associates Inc., a management consultancy he founded in 1984 as a pioneer in the disciplines of Business Continuity and Disaster Recovery. He is also the Executive Publisher of Rothstein Publishing. Glyn Davies is Chief Marketing Officer of Rothstein Associates Inc. He has held this position since 2013. Glyn has previously held executive level positions in Sales, Marketing and Editorial at several multinational publishing companies and currently resides in California.

310

Rothstein Publishing is your premier source of books and learning materials about

Business Resilience, including Crisis Management, Business Continuity, Disaster Recovery, Emergency Management, Security, Cybersecurity and Risk Management, as well as related fields including Root Cause Analysis and Critical Infrastructure. Our industry-leading authors provide current, actionable knowledge, solutions, and tools you can put in practice immediately. Rothstein Publishing remains true to the decades-long commitment of Rothstein Associates, which is to prepare you and your organization to protect, preserve, and recover what is most important: your people, facilities, assets, and reputation.

[email protected] www.rothstein.com

311

Building an Effective Cybersecurity Program (2nd EDITION) By Tari Schreider C|CISO, CRISC, ITIL® Foundation, MCRP, SSCP

NEW 2nd EDITION FOR 2020 BUILD YOUR CYBERSECURITY PROGRAM WITH THIS COMPLETELY UPDATED GUIDE Security practitioners now have a comprehensive blueprint to build their cybersecurity programs. Building an Effective Cybersecurity Program (2nd Edition) instructs security architects, security managers, and security engineers how to properly construct effective cybersecurity programs using contemporary architectures, frameworks, and models. This comprehensive book is the result of the author's professional experience and involvement in designing and deploying hundreds of cybersecurity programs. The extensive content includes: • • • • • •

Recommended design approaches Program structure Cybersecurity technologies Governance Policies Vulnerability

• • • • • •

Threat and intelligence capabilities Risk management Defense-in-depth DevSecOps Service management ...and much more!

The book is presented as a practical roadmap detailing each step required for you to build your effective cybersecurity program. It also provides many design templates to assist in program builds and all chapters include self-study questions to gauge your progress. Building An Effective Cybersecurity Program (2nd Edition) is your single source reference for building effective cybersecurity programs! Building an Effective Cybersecurity Program: 2nd Edition is organized around the six main steps on the roadmap that will put your cybersecurity program in place: 1. 2. 3. 4. 5. 6.

Design a Cybersecurity Program Establish a Foundation of Governance Build a Threat, Vulnerability Detection, and Intelligence Capability Build a Cyber Risk Management Capability Implement a Defense-in-Depth Strategy Apply Service Management to Cybersecurity Programs

312

Because Schreider has researched and analyzed over 150 cybersecurity architectures, frameworks, and models, he has saved you hundreds of hours of research. He sets you up for success by talking to you directly as a friend and colleague, using practical examples. His book helps you to: • • • • • • • •

Identify the proper cybersecurity program roles and responsibilities. Classify assets and identify vulnerabilities. Define an effective cybersecurity governance foundation. Evaluate the top governance frameworks and models. Automate your governance program to make it more effective. Integrate security into your application development process. Apply defense-in-depth as a multi-dimensional strategy. Implement a service management approach to implementing countermeasures.

With this new 2nd edition of this handbook, you can move forward confidently, trusting that Schreider is recommending the best components of a cybersecurity program for you. In addition, the book provides hundreds of citations and references allow you to dig deeper as you explore specific topics relevant to your organization or your studies. Whether you are a new manager or current manager involved in your organization’s cybersecurity program, this book will answer many questions you have on what is involved in building a program. You will be able to get up to speed quickly on program development practices and have a roadmap to follow in building or improving your organization’s cybersecurity program. If you are new to cybersecurity in the short period of time it will take you to read this book, you can be the smartest person in the room grasping the complexities of your organization’s cybersecurity program. If you are a manager already involved in your organization’s cybersecurity program, you have much to gain from reading this book. This book will become your go-to field manual guiding or affirming your program decisions. 2020, 406 pages. Index. ISBN 9781944480530 Print ISBN 9781944480554 PDF eBook ISBN 9781944480547 ePub eBook. https://www.rothstein.com/product/cybersecurity-program-2e/

313

About the Author Tari Schreider is a distinguished technologist and nationally known expert in the fields

of cybersecurity, risk management, and disaster recovery. He was formerly Chief Security Architect at Hewlett-Packard Enterprise and National Practice Director for Security and Disaster Recovery at Sprint E|Solutions. Schreider is an instructor for EC-Council where he teaches advanced CISO certification and risk management courses.

Schreider has designed and implemented complex cybersecurity programs including a red team penetration testing program for one of the world’s largest oil and gas companies, an NERC CIP compliance program for one of Canada’s largest electric utility companies, an integrated security control management program for one of the largest 911 systems in the US and designed a cybersecurity service architecture for one of the largest retailers in the US. He has advised organizations worldwide including Brazil, China, India and South Africa on how to improve their cybersecurity programs. Schreider implemented a virtual Security Operations Center network with vSOCs located in the US, Brazil, Italy, Japan, Sweden, and the US. He was also responsible for creating the first Information Sharing and Analysis Center in collaboration with the Information Technology Association of America (IT-ISCA). His earliest disaster recovery experiences included assisting 314

companies affected during the 1992 Los Angeles riots and 1993 World Trade Center bombing. His most unique experience came during the Gulf War helping a New York financial institution recover after becoming separated from its data center in Kuwait. Schreider has appeared on ABC News, CNN, CNBC, NPR, and has had numerous articles printed in security and business magazines, including Business Week, New York Times, SC Magazine, The Wall Street Journal and many others. He is the author of The Manager’s Guide to Cybersecurity Law (Rothstein Publishing, 2017) and is a co-author of the US patent Method for Analyzing Risk. He studied Criminal Justice at the College of Social & Behavioral Sciences at the University of Phoenix and holds the following certifications in security and disaster recovery: •

American College of Forensic Examiners, CHS-III

•

Certified CISO (C|CISO)

•

Certified in Risk and Information Systems Control (CRISC)

•

ITIL® v3 Foundation Certified

•

System Security Certified Practitioner (SSCP)

•

Member of the Business Continuity Institute (MBCI)

•

University of Richmond – Master Certified Recovery Planner (MCRP)

315

316