The Manager's Guide to Cybersecurity Law : Essentials for Today's Business [1 ed.] 9781944480318

Citation preview

The Manager’s Guide to Cybersecurity Law: Essentials for Today’s Business A Rothstein Publishing Collection eBook

Tari Schreider SSCP, CISM, C|CISO, ITIL Foundation

Kristen Noakes-Fry, ABCI, Editor ISBN: 978-1-944480-30-1 EPUB ISBN: 978-1-944480-31-8 PDF

203.740.7400 • 203.740.7401 fax [email protected] www.rothsteinpublishing.com Keep informed about Rothstein Publishing:

COPYRIGHT ©2017, Rothstein Associates Inc. All Rights Reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form by any means, electronic, mechanical, photocopying, recording or otherwise, without express, prior permission of the Publisher. No responsibility is assumed by the Publisher or Authors for any injury and/or damage to persons or property as a matter of product liability, negligence or otherwise, or from any use or operation of any methods, products, instructions, or ideas contained in the material herein. Local laws, standards, regulations, and building codes should always be consulted first before considering any advice offered in this book.

The subject matter covered in this book is for informational purposes only and not intended to provide legal advice. You should contact your attorney to obtain advice on any specific issue with your organization’s cybersecurity program. Use of and access to this material or any of the links contained within the book does not create an attorney-client relationship between the author and reader of the book. The opinions expressed within this book are the opinions of the individual author and do not represent legal advice.

ISBN: 978-1-944480-30-1 EPUB ISBN: 978-1-944480-31-8 PDF

203.740.7400 • 203.740.7401 fax

[email protected] www.rothsteinpublishing.com

Dedication For my loving wife, Teri, forever and always supportive. To my Grandpa John who, from my earliest memory to his last days, always told me I could do anything and be anything. His presence while writing was constant, and I only wish he were still with us to see this book published.

Acknowledgments I wish to thank my editor, Kristen Noakes-Fry, for expertly and gently guiding me through the creation of this book and helping me understand the process of professional publishing. This book was a collaboration that we both take great pride in knowing that it will help many managers understand cybersecurity law.

Table of Contents Cover Title Page Copyright Dedication Foreword Preface Chapter 1: Introduction to Cybersecurity Law 1.1 Infamous Cybercrimes 1.2 Civil vs. Criminal Cybersecurity Offenses 1.2.1 Clarifying the Definition of Cybercrime 1.2.2 Challenging Your Current Definition of Cybercrime 1.2.3 Creating a Strong Cybercrime Definition 1.2.4 Cybercrime Categories in the Incident Response Plan 1.3 Understanding the Four Basic Elements of Criminal Law 1.3.1 Mens Rea 1.3.2 Actus Reus 1.3.3 Concurrence 1.3.4 Causation 1.4 Branches of Law 1.5 Tort Law 1.5.1 Cyber Tort 1.5.2 Strict Liability Tort 1.5.3 Tort Precedents 1.6 Cyberlaw Enforcement 1.6.1 Regulatory Enforcement 1.6.2 Local Enforcement 1.6.3 State Enforcement 1.6.3.1 Computer Crime Cases 1.6.3.2 Data Breach Cases 1.6.4 Federal Enforcement 1.6.5 International Enforcement 1.7 Cybersecurity Law Jurisdiction 1.7.1 Challenging Jurisdiction 1.7.2 Extradition 1.8 Cybercrime and Cyber Tort Punishment 1.8.1 Cybercrime Punishment 1.8.2 Cyber Tort Punishment References Chapter 2: Overview of US Cybersecurity Law 2.1 Brief History of Resolving Cybersecurity Disputes 2.1.1 Computer Crime Laws in the Public Sector 2.1.2 Computer Crime Laws in the Private Sector 2.1.3 Application of Laws to Cybersecurity 2.2 Resolving Cybersecurity Disputes Outside of Court 2.2.1 Cybersecurity Case Mediation Law 2.2.2 Cybersecurity Case Arbitration Law 2.2.3 Cybersecurity Case Dispositive Motion Law 2.2.4 Cybersecurity Case Summary Judgments

2.3 Duty of Care Doctrine 2.3.1 Duty to Provide Reasonable Security 2.3.2 Duty to Reveal Security Breaches 2.3.3 Duty to Accurately Disclose Safeguards 2.3.4 Duty to Protect Information 2.3.5 State-Based Duty of Care Laws 2.4 Failure to Act Doctrine 2.4.1 Failure to Act Duty 2.4.2 Failure to Warn Duty 2.4.3 Cybersecurity Good Samaritan Law 2.5 Reasonable Person Doctrine 2.6 Criminal Cyberlaw 2.6.1 Cybercrime Penalties 2.7 Federal Computer Crime Statutes 2.7.1 Significant Federal Laws Addressing Computer Security 2.7.2 The US Code 2.8 Procedural Law 2.8.1 Rules of Criminal Procedure 2.8.2 Rules of Civil Procedure (Cyber Tort) 2.9 State Computer Crime Laws References Chapter 3: Cyber Privacy and Data Protection Law 3.1 Common Law of Privacy 3.2 Privacy Laws 3.2.1 Children's Privacy Laws 3.2.1.1 Federal Children's Privacy Law 3.2.1.2 State Children's Privacy Laws 3.2.2 Healthcare Data Privacy Laws 3.2.2.1 HIPAA Privacy Rule 3.2.2.1.1 Law Enforcement HIPAA Disclosure 3.2.2.1.2 HITECH Act 3.2.2.1.3 HIPAA Breach Notification Rule 3.2.2.2 Veterans Benefits, Health Care, and Information Technology Act 3.2.3 Federal Privacy Laws 3.2.4 State Privacy Laws 3.2.5 International Privacy Laws 3.3 Data Breach Laws 3.3.1 State Data Breach Laws 3.3.2 Federal Data Breach Laws 3.3.3 International Data Breach Laws 3.4 Data Breach Litigation 3.4.1 Injury vs. No-Injury Class Action Lawsuits 3.4.2 Data Privacy and the US Supreme Court 3.4.2.1 City of Ontario, California, et al. v. Quon 3.4.2.2 Campbell-Ewald Co. v. Gomez 3.4.2.3 Tyson Foods, Inc. v. Bouaphakeo 3.4.3 Shareholder Derivative Lawsuits 3.4.4 Securities Fraud Lawsuits

3.5 Privacy Notice Law 3.6 Personal Liability 3.6.1 Directors and Officers Insurance 3.6.2 Preemptive Liability Protection 3.7 Data Disposal Laws 3.8 Electronic Wiretap Laws References Chapter 4: Cryptography and Digital Forensics Law 4.1 Brief Overview of Cryptography 4.2 Cryptography Law 4.2.1 Export Control Laws 4.2.2 Import Control Laws 4.2.3 Cryptography Patent Infringement 4.2.3.1 Patent Trolls 4.2.4 Search and Seizure of Encrypted Data 4.2.4.1 Digital Search Warrants 4.2.4.2 Forgone Conclusion Rule 4.2.5 Encryption Personal Use Exemption 4.3 State Encryption Laws 4.3.1 State Encryption Safe Harbor Provision 4.4 Fifth Amendment and Data Encryption 4.5 Laws and Regulations Requiring Encryption 4.6 International Cryptography Law Perspective 4.7 International Key Disclosure Law 4.8 Legal Aspects of Digital Forensics 4.8.1 Preservation Order 4.8.2 Digital Best Evidence Rule 4.8.3 Digital Chain of Custody 4.8.4 Digital Data Admissibility in Court 4.8.5 Digital Evidence Spoliation 4.8.6 Expert Witnesses 4.8.7 Security Consultant Client Privilege 4.9 State Digital Forensics Law References Chapter 5: Future Developments in Cybersecurity Law 5.1 Future of Cybersecurity Legislation 5.2 Impact of Technology on Cybersecurity Law 5.2.1 Legal Implications of the Internet of Things (IoT) 5.2.2 Legal Implications of Big Data 5.2.3 Legal Implications of the Cloud 5.2.4 Legal Implications of Security Testing 5.3 Future US Cybersecurity Legislation 5.4 US Foreign Policy on Cybersecurity 5.5 National Association of Insurance Commissioners (NAIC) Model Cybersecurity Law 5.6 Harmonization of International Cybersecurity Laws 5.6.1 Cybersecurity Law and Trade Pacts 5.6.2 Harmonization of Cybersecurity and Privacy Law 5.7 Trans-Pacific Partnership (TPP) Cybersecurity Framework 5.8 Aligning the Law of the Sea to Cybersecurity Law 5.9 Cybersecurity Law in Outer Space 5.10 The Law of Armed Conflict in Cyberwar 5.11 North Atlanta Treaty Organization (NATO) Cyberlaw Stance

5.12 United Nations – Universal Cybersecurity Legal Framework 5.13 International Treaties on Cybersecurity 5.14 Brexit Impact on European Union Cybersecurity Law 5.15 G7 Perspective on Cybercrime References Chapter 6: Creating a Cybersecurity Law Program 6.1 Cybersecurity Law Program 6.1.1 Model 6.1.1.1 Components 6.1.1.2 Subcomponents 6.1.2 Architecture 6.1.3 Program Staffing and Roles 6.1.3.1 Accountability Matrix 6.1.4 Program Policies 6.1.5 Program Procedures 6.1.6 Program Technology 6.1.6.1 eDiscovery Software 6.1.6.2 Program Knowledgebase 6.1.6.3 Legal and Regulatory Update Subscription 6.1.6.4 Policy Compliance Scanning 6.1.6.5 Forensic Toolkits 6.1.7 Mapping Legal Requirements to Controls 6.1.8 ISO/IEC 27002 on Compliance Controls 6.2 Cyber Liability Insurance 6.2.1 Coverage Categories 6.2.2 Policy Restrictions 6.2.3 Policy Value 6.2.4 Policy Cost 6.2.5 Policy Claims 6.2.6 Policy Claim Disputes 6.2.7 Policy Lawsuits 6.2.7.1 P.F. Chang’s v. Travelers Indemnity Co. 6.2.7.2 Recall Total Information Management Inc. v. Federal Insurance Co. 6.2.7.3 Retail Ventures v. National Union Fire Insurance Co. 6.2.7.4 Travelers Property Casualty Company of America, et al. v. FederalRecovery Services, Inc., et al. 6.2.7.5 Universal Am. Corp. v. National Union Fire Ins. Co. 6.2.7.6 Zurich Insurance v. Sony References Appendix A: Useful Checklists and Information Table A-1. eDiscovery Software Table A-2. Cybercrime Reporting Agencies Table A-3. Cyber Tort Readiness Checklist Table A-4. Providers of Cyber Liability Insurance Table A-5. Research Sources Table A-6. Digital Forensics Toolkits Table A-7. Cyber Liability Stress Test Table A-8. Cybersecurity Law Program Bill of Materials About the Author Credits More from Publisher

Foreword Those of us of a certain generation remember where we were the morning of September 11, 2001. For me, that was in my office at the US Department of Justice headquarters in Washington, DC, a stone’s throw from the Pentagon. The shocking images on TV of planes flying into the World Trade Center were surpassed for me only by the plumes of black smoke I saw from my office window as they rose above the burning Pentagon. On that day, 19 terrorists hijacked a technology meant to improve our way of life and bring the world closer together – passenger aircraft – and weaponized it for an evil and destructive purpose. As then-Attorney General John Ashcroft would state, our paradigm for anti-terrorism efforts necessarily changed overnight from prosecution to prevention. Just as terrorists weaponized passenger aircraft on September 11th and forced a paradigm shift in America’s anti-terrorism efforts, so too have “digital terrorists” forced a shift in our approach to cybersecurity. As a manager or key executive, you know that in this new world of cyberattacks, data breaches, and data intrusion, prevention is the necessary paradigm. In Manager’s Guide to Cybersecurity Law, Tari Schreider accomplishes much the same objective – that is, to help you take clear, methodical, practical steps in your organization to operationalize this new paradigm. And with the explosion of cybersecurity laws and regulations of the past few years, operationalize it you must! As the former Chief Security Architect for Fortune 100 company Hewlett Packard, Tari Schreider draws on his years of experience in both the technical development of security programs and the compliance assessment of the same to articulate the full spectrum of operationalizing cybersecurity in your organization. From helping you understand the basics of cybersecurity law, to outlining the key elements of a cybersecurity law program, to describing tools for program implementation, Tari – in the words of a cybersecurity colleague – “turns the obscure into the obvious in a manner that precludes any misunderstanding.” You can have confidence in Tari, as he serves as your guide and personal investigator, identifying the current and coming threats, delivering the roadmap for shifting to a prevention paradigm, and defining the actions necessary to operationalize the new paradigm. It is now in your hands to act on this intelligence.

Susan Richmond Johnson, MBA, MPM/CIPM Managing Principal, The Ashcroft Group LLC Washington, DC January 2017

Preface My nearly 40 years in the fields of cybersecurity, risk management, and disaster recovery have taught me some immutable truths. One of these truths is that failure to consider the law when developing a cybersecurity program results in a protective façade or false sense of security. You may be protecting your data, but you are not protecting your company. Showing you how to avoid the painful lesson of learning this truth too late is the reason I wrote this book. This book shows you how to bridge the gap between cybersecurity programs and cybersecurity law. My vantage point is somewhat unique in that I am a board-certified information security practitioner with a criminal justice administration background. While I do not dispense legal advice here, my goal is to provide awareness of various legal considerations that managers should embrace. I do strongly recommend that after you have read this book, you sit with your legal department to begin the discussion of creating a closer relationship between your organization’s cybersecurity policies and practices and the law. We live in a litigious world and therefore must prepare ourselves for the eventuality of a cyber-related lawsuit. Your company may have developed its cybersecurity program according to the letter of applicable security standards or industry regulations. But this usually leads to developing your program in a bubble when the law is not considered. My hope is that after reading this book, you will have a whole new way of thinking and approach to your company’s cybersecurity program. Applying what you learn about criminal and civil procedure as well as other lessons presented in this book will allow you to burst out of that bubble. Because you have responsibility in your company to protect your company adequately against future cyber liability, you have a duty to think past security standards and regulatory controls to ensure your cybersecurity program complies with all laws and legal jurisdictions. Finally, let me remind you that you should not act on any advice in this book without first seeking legal advice.

Tari Schreider Atlanta, Georgia – Cheyenne, Wyoming January 2017

Chapter 1 Introduction to Cybersecurity Law A sense of excitement and anxiety rush over you simultaneously upon receiving an invitation to present your cybersecurity program to senior executives of your company. At last, you have achieved recognition for creating a cybersecurity program that meticulously follows industry standards! Your proposal has passed several independent assessments and even garnered approving nods from internal audit. Filled with confidence and thinking your life as a leader and manager in cybersecurity couldn’t be better, you embark enthusiastically on your carefully prepared presentation. Then, shortly after your opening remarks, your organization’s chief legal counsel chimes in, “Have you ensured our cybersecurity program complies with and supports all the legal statutes we must adhere?” Your answer to this question will get the immediate attention of the senior leadership of your company – and imprint the question of your subject-matter competency on their minds. As the champion of your organization’s cybersecurity program, your challenge is to answer this question skillfully in order to earn the confidence and respect of those with the authority to support and fund your cybersecurity initiatives. This chapter will help you to: • Communicate effectively with your company’s legal counsel by having a working knowledge of how the US legal system applies to cybersecurity. • Seek out and implement ways to improve your company’s cybersecurity program to avoid post-cyberattack lawsuits. • Upgrade your cybersecurity policies to comply with state, federal, and regulatory statutes.

1.1 Infamous Cybercrimes You may have seen many headlines, articles, or lists showcasing computer hacking and other cybercrime events; however, few focus on the cybercriminals who have been charged, prosecuted, and convicted for their cyber offenses. Before we begin our cybersecurity law journey, I think it only appropriate to offer some examples of what happened when the crime was over and the offenders were punished. Significant cybercrime court cases of the past five years include: • October 18, 2012 – Top executives of Kolon Industries indicted for stealing Dupont’s Kevlar trade secrets. Using computers to copy intellectual property and then to destroy the data, Kolon pleaded guilty and paid $360 million in restitution. Several executives were sentenced to prison terms (E.I. DuPont de Nemours, 2011). • July 26, 2013 – Five Russian and Ukrainian hackers charged in $300 million crime from the theft and use of 160 million credit card numbers from Carrefour SA, JCPenney, JetBlue Airways, Visa, and others (Williams, 2015). • August 27, 2014 – Former acting director of cybersecurity at the US Department of Health and Human Services (HHS) convicted on child pornography charges. Ultimately he was sentenced to 25 years (Robinson, 2014). • December 17, 2015 – Six defendants from China, Germany, Singapore, and the US plead guilty to $100 million software piracy scheme. Over a period of six years 170,000 stolen Microsoft and Adobe activation keys were sold illegally (US Department of Justice, 2015). • September 1, 2016 – A Romanian hacker known as “Guccifer” received a 52-month prison sentence for 100 counts of unauthorized access to a protected computer and aggravated identity theft (US Department of Justice, 2016). TIP: Use the examples above to compare with your security technologies and practices currently in place and ask yourself if your methods would have detected trade secret theft, hacker intrusions, a senior executive violating a security policy, use of pirated software, or employee identify theft.

1.2 Civil vs. Criminal Cybersecurity Offenses As the manager of cybersecurity, you may need to deal with both civil and criminal cases. • Criminal cases will result from either an insider committing a cyber offense or an external party hacking into your computer systems. • Civil cases will arise from your organization suing a company, or they sue you for some harm caused by a cyberattack. For both instances, your cyberseurity program will need to address each scenario. You must also be ready to be either the plaintiff or the defendant.

•

•

In a civil case, as the plaintiff, you would be claiming that some entity has failed to fulfill a legal duty. For example, you would be the plaintiff if your company is bringing suit against a cloud service provider that exposed your customers’ data due to an incorrectly configured firewall. As a defendant, an entity would be accusing your organization of the same. In criminal cases, the government or a private entity will bring the case against you (the defendant), and your role will be to gather evidence to disprove the alleged offense. For example, you will be the defendant if a class action lawsuit is brought against your company following a hacking incident where customer data was stolen.

By now, you should be contemplating how to ensure your cybersecurity program supports these legal scenarios. The determination of whether it is a civil or criminal matter begins with the establishment of the crime. 1.2.1 Clarifying the Definition of Cybercrime No universal definition of cybercrime exists; however, a general consensus exists that cybercrime falls into two categories. The first category is current crimes that are now committed using computers and networks. The second includes crimes that have specifically evolved in the computer age and use sophisticated methods to commit crime. Definitions of cybercrime have fundamental similarities in a broad sense; however, a diverse array of opinions nonetheless exists. • Not surprising many courts also have varying interpretations of cybercrime including how to even spell the term with it often referred to as cyber crime, cyber-crime, or cybercrime. • Contributing to the disparity of definitions is the changing landscape of technology. Cloud computing, software-defined infrastructure, and outsourcing have all but obliterated many definitions of cybercrime. A clear and concise definition of cybercrime establishes the proper foundation for developing policies and practices to detect, prevent, and mitigate offenses. I will discuss more about policy creation in Chapter 6. An understandable definition of cybercrime bridges the gap between the law and your cybersecurity program and brings clarity to the portions of your cybersecurity program that address criminal offenses. 1.2.2 Challenging Your Current Definition of Cybercrime Is the current description of the crimes clear and concise enough to create actionable policies and practices? Many definitions just state that computer crime is the commission of a crime through the use of equipment and networks. I argued just such a point with a client once and even performed a breach of security simulation to prove the point. The exercise consisted of USB sticks strewn across their parking lot, with the hope that a few unsuspecting employees would

pick them up and attempt to read the data. Approximately a dozen employees were detected by the client’s endpoint security software plugging the USB sticks into their computers. The exercise showed that no crime had been committed according to their definition as neither a computer nor a network was used to commit the offense. Their legal department agreed and subsequently made modifications to their definition of cybercrime. How do you feel your employees would do with a similar test? 1.2.3 Creating a Strong Cybercrime Definition Depending on geographical location and jurisdiction, cybercrime definitions vary. You will want your cybercrime definition to hold true regardless of the rapidity of legislative and technological change, as well as adhere to multiple legal jurisdictions. Consider peer-testing your cybercrime with a definition that I have developed over my career of working with numerous companies. This definition has evolved from dozens of legal department reviews: Cybercrime is a criminal act in which computerized equipment, automated service, or communications mechanism is either the object or the means of perpetrating legal or regulatory restricted or prohibited offenses.

Such a definition has a number of advantages: • Including the word offenses in the definition rather than citing specific examples such as theft or fraud makes the definition timeless. • The use of the words equipment, service, and communications frees the definition from being dependent on specific technologies. • You will not need to cite specific examples such as cybertheft or computer fraud in your definition, as those examples will always be a crime regardless of a cyber component. To ensure that your cybersecurity program defines cybercrime adequately in an actionable sense, be sure to validate the definition with your company lawyers. 1.2.4 Cybercrime Categories in the Incident Response Plan Once you have a vetted and approved cybercrime definition, don’t forget about identifying the likely types of cybercrimes to which your organization is exposed. Naming cybercrimes within the definition will burden the description unduly by limiting its applicability and usefulness, which is why it is important to identify them separately. The proper place to address the identified cybercrimes is in your company’s incident response plan, a set of instructions or tasks specifying the actions necessary to respond to a specific security emergency. Emergencies could include virus outbreaks, loss or theft of an employee-assigned laptop containing sensitive information, or a ransomware attack. Using a risk assessment as your guide, focus on the cybercrimes with the highest possible likelihood of occurrence which have a correspondingly high potential of impact.

To aid in the identification of cybercrimes, you will find it helpful to examine the four primary categories: 1. Personal Cybercrimes. These types of crimes target people and consist of cyberbullying, cyberstalking, identity theft, identity impersonation, fraud scams, data theft, ransomware attacks, etc. 2. Institutional Cybercrimes. These types of crimes target companies or governments and consist of denial of service attacks, cybervigilantism, cyber terrorism, cyber-slander, hacktivism, website defacement, etc. 3. Property Cybercrimes. These types of crimes target digital property and consist of data theft, computer sabotage, data destruction, etc. 4. Inchoate Cybercrimes. Inchoate is a specific legal term that is used to describe crimes that have been started, but not completed. An example of this type of crime would be where a hacker has completed the initial steps of an attack of a network or computer (target). These steps could include scanning a target for potential vulnerabilities, verifying the vulnerabilities exist on the target, and installing malicious software to siphon away confidential data. In this example, all the hacker would need to do to complete the crime is activate the malicious software remotely. What would make this an inchoate crime is that the last step of activating the malicious software is never completed. Despite the fact that such crimes are incomplete and no harm as yet occured, they were nonetheless attempted, demonstrating a substantial criminal effort was under way. Inchoate crimes also include cyber conspiracy, cybersolicitation, cyberstalking, and other types of attempted crimes. TIP: The tone and scope of a cybersecurity program start with a proper cybercrime definition. The definition will shape the construction of information and asset protection policies and practices. Address specific high-risk cybercrimes within your incident response plan.

1.3 Understanding the Four Basic Elements of Criminal Law

It would be nearly impossible to build connections to the law in your cybersecurity plan without at least knowing the fundamentals of criminal law. If you know how the legal system determines guilt or innocence, you can better create a cybersecurity program with appropriate enforcement mechanisms. One of the biggest disconnects in cybersecurity programs and the law is in the area of security policies. You will need to ask yourself if the security policies of your company hold employees to a higher standard than the law or if you would terminate an employee violating a policy without criminal intent. Policies will be discussed more in Chapter 6. The four elements of criminal law which you should be familiar with are mens rea, actus reus, concurrence, and causation. It is advisable for you to use these four elements of criminal law as

your security policy enforcement standard to avoid legally contested terminations resulting from a security policy violation. 1.3.1 Mens Rea The first element of criminal prosecution is proving mens rea or a guilty state of mind of the offender. However, as cybercriminals operate remotely and generally without witnesses, it is nearly impossible to prove their intent or state of mind during the commission of their hacking into a computer system or network. You may also think of this as the evil intent of the offender. 1.3.2 Actus Reus Actus reus is the second and the most critical element of pursuing a case against an unknown subject (unsub) or perpetrator. Simply put, actus reus is the criminality of the offense itself where law enforcement collects the evidence and witness testimony necessary to prove beyond a reasonable doubt that one or more individuals committed the crime. Unfortunately, existing laws all but make it impossible for prosecutors to establish actus reus due in part to the ease with which criminals can cover their digital tracks or evidence. Uncovering evidence requires highly experienced forensic investigators. See Chapter 4 for more detail on digital forensics. 1.3.3 Concurrence The third element of a crime is concurrence. As if mens rea and actus reus were not difficult enough to determine individually, prosecutors also need to show they occurred at the same time – the element of concurrence. Offenders cannot be found guilty without a direct connection between the mens rea and actus reus elements of a crime, or in other words they had the intent to violate a law as well as cause harm. Early computer criminals were often found not guilty because prosecutors could not prove both their evil intent and evil acts. 1.3.4 Causation Causation is the fourth element of an offense and one of the most difficult to prove. Here, prosecutors must prove the criminal activity and the outcome or detrimental effects of that activity. Causation is essentially actus reus in association with harm. The difference between the elements of concurrence and causation may seem subtle, but it is significant. Concurrence just means that two things must happen at the same time. Causation is the conduct of the perpetrator and the result of his or her act. You may think of this as the harm caused to people or property as a result of a criminal activity. 1.4 Branches of Law You will encounter three basic types of law in cybersecurity: public, private, and regulatory. • Public cyberlaw refers to cybercriminals and the government. Public law is part of the criminal legal system allowing the government to bring an action against those that violate cybersecurity and privacy laws.

•

•

Private cybersecurity law applies to companies with respect to their obligations and contracts. Private law, part of the civil legal system, allows companies to resolve common law disputes also called tort law. Regulatory law, also known as administrative law, sets out the rules and regulations prescribed by various governmental agencies.

1.5 Tort Law Up to this point, you have learned how cyberlaw relates to criminals, but how does cybersecurity law relate to your organization? Organizations can be held liable for a cyberattack. The last thing you would want to occur after surviving an attack is to face a lawsuit for causing and contributing to the cyberassault. A tort is a civil wrong that happens when a group or individual commits an act or omission that causes harm or loss. The primary purpose of tort law is to compensate or provide relief to injured parties for the damage caused by others. The courts also impose penalties and fines to the extent they serve as a deterrence against future acts. The burden of proof in these cases usually shifts from the injured party to the accused party to prove they did no wrong. Although there are a number of different types of torts, as the cybersecurity manager you need only be concerned with two – cyber and strict liability torts. 1.5.1 Cyber Tort How would you handle the situation where the legal department informs you that several employees were named in either a cybertrespass or cyber harassment lawsuit? Knowing what to do begins with recognizing that cybersecurity tort is very real and is occurring with great regularity. Cybersecurity torts include intentional acts against persons or property. Cybersecurity torts are simply torts committed within cyberspace and fall into three general categories: 1. Intentional Cybercrimes Against Persons. Commiting acts of cyberbullying, cyber defamation, cyberstalking, and other attacks against people who are specifically targeted. 2. Cybertrespass to Chattle. Chattle is nothing more than moveable property, which in legal terms includes computers, networks, or related services. In this context, cybertrespass would be the act of preventing the owner from posessessing or using the property as the owner intended. This crime can include offenses such as denial of service (DoS) attacks, SPAM, and spyware. Not all courts agree on the use of cybertrespass due primarily to the overlap with unauthorized access laws. 3. Cyber-Conversion. The stealing of someone’s Internet domain name, committing session hijacking, or using computer services not authorized previously, etc. Essentially it is where someone obtains a cyber resource or service and converts it to their own without authorization.

You can detect most cyber tort offenses through the use of of security technologies such as security incident event monitoring (SIEM), intrusion detections systems (IDS), and data loss prevention (DLP) systems. Company collaberation systems and emails can be monitored for key words related to cyberbulling or harrassment; email scanning software can block SPAM; and session encryption can be used for website communications to prevent someone from capturing a session cookie. I encourage you to think of threats outside of the conventional sense and think about them as crimes. Then think about what tools you could apply to detect and prevent these types of crimes. 1.5.2 Strict Liability Tort Strict liability determines who is legally responsible for damages even in the event they were not at fault or negligent. Often used in product liability cases, strict liability is setting the standard for cybersecurity cases. Here, your company owes its customers a duty to protect their information, especially in light of the fact that cyberattacks are reasonably foreseeable with a preponderous of published attack evidence. A successful cyberattack against your company will undoubtedly expose it to regulatory and civil liabilities. Having a legal strategy in place pre-breach to handle strict liability tort claims is a critical component of any cybersecurity program. I will discuss creating a program in Chapter 6. You must also recognize that your cybersecurity program will be under a legal microscope. You will need to prove that your company used a risk-based approach, applying security controls commensurate with the threats to information and assets. Or in other words, you did what would be considered reasonable to detect and defend against an attack – often called the “reasonable person test.” But it doesn’t stop there; you will also need to prove that your actions during the attack did not cause or contribute to the harm caused. 1.5.3 Tort Precedents Significant tort precedents relating to organizational liability exist that you and your legal department may find useful to examine: • Lone Star Bank, et. al v. Heartland Payment Systems (5th Cir., September 2013). • Patco Constr. Co. Inc. v. People’s United Bank (1st Cir., July 2012). In both cases, the court determined that the defendants (People’s Bank and Heartland) did not act in a commercially reasonable way. Commercially reasonable is an important term as it is regularly used in cybersecurity services contracts. Vendors will often cite in their contract “will use commercially reasonable means to secure the customer's data.” In legal terms this means “conducted in good faith and in accordance with commonly accepted commercial practice.” The court used this standard to determine if People’s Bank or Heartland implemented reasonable

security safeguards in light of the known threat and whether followed generally accepted security practices. Both companies paid significant financial penalties and agreed to improve their data protection practices as part of their settlements. Ensuring your cybersecurity program is deployed according to generally accepted security practices is not just a matter of sound business judgment, but the measure by which a court will judge your defense in the event of a lawsuit resulting from a data breach. TIP: Request that your legal counsel set up a meeting to conduct a cyber tort assessment to review your current cybersecurity program to ensure your company can recover from a post-breach strict liability lawsuit.

1.6 Cyberlaw Enforcement The cyberlaw pendulum has now swayed to the extreme where today hundreds of various local, state, federal, and international cybercrime laws and regulations. This myriad of statutes has made understanding who is responsible for enforcement difficult at best. In some cases, an organization may have a dozen enforcement authorities that may bring suit for violating a computer offense statute. Some federal agencies have even been accused of overstepping their authority for punishing companies for weak cybersecurity. As computer security laws become less ambiguous and courts gain more experience prosecuting cases, the lines of enforcement authority are likely to become blurred. Thus, courts will no longer beg off taking on a case, leaving open the possibility of competing jurisdictions. You will need to identify all regulatory entities that carry enforcement authority over your cybersecurity program. 1.6.1 Regulatory Enforcement Agencies or industries that have the authority to regulate your company generally have the power to direct your organization to protect your customers from cyberattack harm. The two types of industry-focused regulatory authorities you will encounter are industry (self-regulating) and government (enforced by law). They carry the same essential oversight and enforcement power, but with one primary distinction. Industry regulatory entities enforce their compliance through fines and sanctions for noncompliance. Government entities enforce compliance through legal fines and criminal penalties including incarceration. The following are examples of industry regulatory authorities covering cybersecurity: • Industry Self-Regulated Oversight. o Financial services: Financial Industry Regulatory Authority (FINA). o Healthcare: Joint Commission on the Accreditation of Healthcare Organizations (JCAHO). o Retail: Payment Card Industry Data Security Standard (PCI DSS). o Utility: The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP). • Government Industry Oversight.

o o o o o o o o

Banking: Federal Financial Institutions Examination Council (FFIEC). Chemical: The Chemical Facility Anti-Terrorism Standards Regulation (CFATS). Education: Family Educational Rights and Privacy Act (FERPA). Food and Drug: US Food and Drug Administration Code of Federal Regulations Title 21 Part 11. Government: Federal Information Security Management Act (FISMA). Healthcare: Health Insurance Portability and Accountability Act (HIPAA). Healthcare: The Health Information Technology for Economic and Clinical Health Act (HITECH). Public: Sarbanes-Oxley Act (SOX).

For each regulation to which your organization must adhere, you need to understand the enforcement capabilities of the regulatory body thoroughly. 1.6.2 Local Enforcement Local computer-related enforcement exists for cybercrime offenses occurring within the boundaries of a city, county, or parish. Although some larger local law enforcement agencies have published computer crime codes, the majority enforce state computer use and abuse acts. Local laws issued for computer crime are commonly referred to as municipal codes or ordinances. Many local municipalities amend city codes to include state computer crime codes so that these types of offenses can be prosecuted in municipal courts. 1.6.3 State Enforcement States have both data breach and computer crime laws with which you will need to familiarize yourself. In both cases, state prosecutors have the authority to enforce these laws through fines and incarceration. To date, the majority of cybercrime cases adjudicated at the state level have involved child pornography; however, that is rapidly changing as state courts become more sophisticated in pursuing other types of cybercrime cases. State courts are ideal for prosecuting computer-based crimes where the offender and victim reside within the same state. Over 40 states have a State Bureau of Investigation (SBI) with specialized computer crime units. These units are typically co-funded by the US Department of Justice (DOJ) and ostensibly act as a state version of the Federal Bureau of Investigation (FBI). They must be called in by a municipal entity in cases where the state has an interest. Their role is to assist in cyber investigations. 1.6.3.1 State Computer Crime Cases State computer crime laws prohibit the use of computer equipment and communications to commit illegal activities consisting of any one of the previously listed cyber torts. Penalties for

violating state cybercrime codes will include fines and incarceration. You should identify your state’s computer crime statute as well as which district court covers your area. 1.6.3.2 Data Breach Cases Since 2006, most US states and territories have enacted a data breach notification law to protect their citizens from identity theft and financial fraud. Today, only three states have yet to pass a data breach bill. The important aspect of these laws is that, in order to comply, your company does not have to maintain a location in a particular state, but only needs to have customers resident in that state. You will need to review each state data breach notification law to ensure each relevant aspect of your cybersecurity program complies. You should pay particular attention to your security policies, data loss detection practices, and incident response program. 1.6.4 Federal Enforcement The DOJ is responsible for enforcement of federal computer crime laws, prosecuting cases where the government has an interest. The DOJ’s Computer Crime and Intellectual Property Section (CCIPS) investigates and prosecutes cybercrimes referred by government agencies, the private sector, academic institutions, and foreign counterparts. 1.6.5 International Enforcement International enforcement of cybercrime is predominantly accomplished through transborder law enforcement partners or task forces in cases of major cybercrime. In the event your organization is attacked by an international cybercrime ring, you will undoubtedly invest a significant amount of resources and time gathering evidence. Such was the case with Facebook’s 2012 cyberattack. In this example, the DOJ, FBI, and a cadre of international law enforcement agencies sought to take down an international cybercrime ring. Facebook’s security team provided assistance to law enforcement throughout the investigation by helping to identify the root cause, the perpetrators, and those affected by the malware used by the crime ring. However, merely having these laws on the books hasn’t made enforcing and prosecuting cybercriminals much easier. Pursuing cybercrime cases is exceedingly more challenging than pursuing traditional crimes because cybercrime lacks the specialized law enforcement resources and digital forensic techniques available for conventional crime. These resources are necessary to gather evidence to prove mens rea and actus reus. 1.7 Cybersecurity Law Jurisdiction Jurisdiction is the right to resolve a complaint, which means it is the burden of a plaintiff (party who initiates a lawsuit) to prove that a particular court has the authority to adjudicate the penalties of the offense. The origin of the attack and locations of the data and victims all play a

role in determining jurisdiction. A further complication is that the jurisdictional venue must also have an appelate (appeal) court. Laws, enforcement, and penalties vary widely by jurisdiction depending or whether the case is a cybercrime or strict liability case. Not all venues have the same level of computer offense expertise, which could be reason enough to request a change of venue. A change of venue is simply requesting a different court handle the case based on that court’s expertise in computer crime litigation. 1.7.1 Challenging Jurisdiction You should create a matrix of the states and countries where your business operates and the locations of your service providers, as well as where your customers, suppliers, and data reside. Then, map all the related cybersecurity laws and regulations that apply to each location. This exercise will provide valuable insight to the rules and regulations to which your program should comply. In 2015, the US Federal Trade Commission (FTC) and Wyndham Worldwide reached a settlement over allegations that the company violated federal law regarding the protection of customer records. The agreement ended a four-year battle in which Wyndham challenged the FTC over its authority to pursue charges against businesses that fail to protect consumers from cyberthreats (Higgins, 2015). In return for the FTC dropping federal charges, Wyndham stopped its opposition to the FTC’s authority and agreed to improve its cybersecurity program and submit to oversight monitoring by the FTC. Challenging the jurisdiction at the state or local level is very different from challenging it at the federal level. Should you decide to challenge at the federal level, be prepared for a lengthy fight. 1.7.2 Extradition It is hard to instill fear in hackers when most come from countries that have no extradition treaty with the US. Of the 70 nations that will not extradite to the US, the top two havens for hackers, China and Russia, are on the non-extradition list. In fact, the Russian constitution forbids the extradition of Russian nationals. So basically, a Russian hacker has complete impunity when it comes to hacking, regardless of how much evidence the US may have on the individual. Even when an extradition treaty is in place, the principle of “double criminality” must be proved. In other words, the offense must be a crime in both the country seeking extradition as well as the nation where the crime occurred. Extradition cases are best suited for government cybercrime cases in which your company may be a party, since the government has the resources and experience to extradite cybercriminals. 1.8 Cybercrime and Cyber Tort Punishment Punishment is two-fold: 1. Through the use of fines and incarceration to punish the perpetrators. 2. By punishing those who fail to protect (tort) their information and assets.

Both of these are problematic due to the lack of uniform sentencing guidelines. Making the punishment fit the crime has been a long-standing principle in law with many precedents and sentencing guidelines for judges to follow. However, in the case of cybercrime, the complexity of the cybercrime makes sentencing offenders and companies challenging. 1.8.1 Cybercrime Punishment Only a small number of hackers are ultimately caught and prosecuted. Identifying, apprehending, and determining jurisdiction have all contributed to the low conviction rate. In fact, it is not unusual for cases to drag on for several years. Cybercrime punishment consists of all or some forms of incarceration, fines, community service, restitution to victims, and probation. For example, consider the 2016 conviction of 24-year-old hacker Aleksandr Andreevich Panin, also known as “Gribodemon" and “Harderman,” who authored the Trojan malware called SpyEye. His malware, SpyEye, was directly responsible for the theft of $500 million throughout the world beginning in 2009. Although SpyEye was widely known and tracked, it took eight years to identify the author, prosecute, and sentence the cybercriminal. Vast disparities exist in sentencing physical versus virtual crimes. For example, Albert Gonzalez was the perpetrator of the TJX Company cyberattack, in which over 45 million credit and debit card numbers were stolen, resulting in $200 million in damages. If this had been a traditional crime with the physical cards stolen, he would have spent the rest of his life in prison. However, as this was a cybercrime, he was sentenced in 2010 to two concurrent 20-year terms with the likelihood of being set free in half that time for good behavior. 1.8.2 Cyber Tort Punishment At this point, two major questions emerge: • How do you determine if an organization’s negligence in their computer security controls and their actions during an attack contributed to the harm? • Which standard should be used to determine how much security is enough? A regulatory violation is relatively straightforward with published penalties based on the cost of disclosing confidential records and following a particular industry security standard. However, when it comes to negligence, someone must assign a value to the data. For example, the majority of data breach laws assess financial penalties based on data type, time to notify, or size of the violation. Penalties can run into the millions of dollars and, in cases of gross negligence, employees could be incarcerated. Negligence cases are more complex as parties can argue the value of the data and the impact on the victims. Also, arguments can be made on the adequacy of the security controls deployed.

Wronged parties can sue companies for failing to maintain adequate controls to protect their information and assets or failing their duty to protect information. One such case occurred in 2014 when a US District Court judge in Minnesota set a groundbreaking precedent for companies by ruling Target Corp. could be sued for “failing to adequately defend” against a data breach. In this case, the court ruled that “Target’s actions and inactions – disabling certain security features and failing to heed the warning signs as the hackers’ attack began – caused foreseeable harm to Plaintiffs” and “Target’s conduct both caused and exacerbated the harm they suffered” (Burns, 2015). You can expect to see this precedent cited in many future cases. In a similar case, Sony Pictures Entertainment settled a lawsuit for $8 million when they could not prove they maintained adequate controls to protect employee information that was stolen by the Guardians of Peace hacker group (Pettersson, 2015). TIP: When cyberlaws are broken, someone is always going to be held liable and made to pay. In the case of a hacking incident, the hackers are the ones sought. In the event of a failure of duty, it may very well be your organization.

Summary By now you should have an appreciation for the need to interconnect the law with your cybersecurity program. As this chapter reveals, a cybersecurity program must provide a legally defensible position that your customer’s information is adequately protected and that any actions taken to stave off an attack do not unwittingly cause additional harm. It is also important to note that nuances of cyberlaw definitions matter to ensure that neither your security practices or the law subjugate one another. Having a working understanding of the fundamentals of cybersecurity law is a necessity for most managers today.

References Burns, T. (2015, November 19). $10m Target data breach settlement obtains final approval. Top Class Actions. Retrieved from http://topclassactions.com/lawsuit-settlements/lawsuitnews/237688-target-10m-setfinal-approval/ E.I. DuPont de Nemours and Co. v. Kolon Industries, Inc. (2011, September 21). Retrieved from http://tsi.brooklaw.edu/cases/ei-dupont-de-nemours-and-co-v-kolon-industries-inc Higgins, J. K. (2015, December 28). Major challenge to FTC's cybersecurity authority evaporates. E-Commerce Times. Retrieved from http://www.ecommercetimes.com/story/82914.html Pettersson, E. (2015, October 20). Sony to pay as much as $8 million to settle data-breach case. Bloomberg Technology. Retrieved from http://www.bloomberg.com/news/articles/201510-20/sony-to-pay-as-much-as-8-million-to-settle-data-breach-claims Robinson, T. (2014, August 27). Former acting HHS cyber director convicted on child porn charges. SC Magazine. Retrieved from http://www.scmagazine.com/former-acting-hhscyber-director-convicted-on-child-porn-charges/article/368472/ US Department of Justice, Office of Public Affairs. (2015, December 17). Operation software slashers: Six defendants plead guilty to $100 million software piracy scheme. Retrieved from https://www.justice.gov/opa/pr/operation-software-slashers-six-defendants-pleadguilty-100-million-software-piracy-scheme US Department of Justice, Office of Public Affairs. (2016, September 1). Romanian hacker “Guccifer” sentenced to 52 months in prison for computer hacking crimes. Retrieved from https://www.justice.gov/opa/pr/romanian-hacker-guccifer-sentenced-52-monthsprison-computer-hacking-crimes Williams, K. B. (2015, September 16). Second Russian hacker pleads guilty in massive data theft scheme. The Hill. Retrieved from http://thehill.com/policy/cybersecurity/253904-secondrussian-hacker-pleads-guilty-in-massive-data-theft-scheme

Chapter 2 Overview of US Cybersecurity Law In the last chapter, we covered how to define cybercrime and the basic elements of criminal and civil law. We even looked at some infamous cybercriminals who were caught in the act and prosecuted to the full extent of the law. In this chapter, I will build on these concepts to help you understand your legal obligations to duty and standard of care as an employee or manager at your company. Cybersecurity programs have procedures to ensure information and asset protection instructions are predictably and repeatedly followed. Cybersecurity law is no different; the law is very procedural with precise requirements for how a criminal or civil case is conducted. Beginning with discovery, continuing through evidence gathering, and ending in the submittal of documents to a court, every step is highly controlled by procedure. Your understanding of this process will allow you to align existing cybersecurity practices properly. This chapter will help you to: • Accept that as a manager or employee, you have a legal duty to act reasonably and responsibly in the protection of assets and information. • Apply the legal rules of procedure to improve the effectiveness of your cybersecurity program. Identify which cybersecurity laws have the potential to impact your cybersecuity program. • Arrive at legal strategies to handle a cybersecurity dispute outside of court.

2.1 Brief History of Resolving Cybersecurity Disputes Remember sitting in history class and asking yourself, why does this matter? One thing that history has taught us is that we ignore its lessons at our peril – and such omissions will come back to haunt us, resulting in repeating the failures of the past. It is hard to think of computer security as even having a history; after all, the history of law began in 451 BCE in ancient Rome with the Law of the Twelve Tables. Although short in comparison, computer security does have a rich history, but I doubt many of you were around when the first legal computer crime language was adopted a little over 60 years ago in the Atomic Energy Act. This initial language evolved into a robust legislative framework that defines today’s cybersecurity law. Cybersecurity law is rapidly changing; in fact, according to my research, more cybersecurity legislation has been proposed and passed in the past two years than the previous 30 years. By learning a little about the history cybersecurity law, you will gain an understanding of how its legal framework was forged as well as how advances in technology have driven its development. 2.1.1 Computer Crime Laws in the Public Sector It was the 1954 Atomic Energy Act that first made unauthorized access and use of information a crime. One of the earliest recorded cases of computer crime occurred in 1967, when a Texas Instruments employee stole 59 computer programs by photocopying the coding instructions with the intent to sell them to a competitor for $5 million dollars. In the absence of any state or federal computer crime laws at the time, the state of Texas prosecuted and convicted the employee under the state’s property theft statute (Hancock v. State). Efforts to draft the first real computer crime legislation did not begin in earnest until 1976, when a report to the US Congress titled Computer-Related Crimes in Federal Programs documented 69 instances of improper use of federal computers resulting in over $2 million in losses (US General Accounting Office, 1976, p. 1). The resulting legislation was the Federal Computer Systems Protection Act of 1979. What was lacking, however, was legislation to address computer offenses in the private sector. 2.1.2 Computer Crime Laws in the Private Sector Protection for the private sector would be addressed in 1986 with the passage of the Computer Fraud and Abuse Act, which made it a federal crime to access without authorization any computer to perpetrate a fraud or create a loss of value more than $5,000. That same year, the first real Internet crime was committed when a graduate student at Cornell University, Robert Tappan Morris, launched a worm that caused significant interruptions across large portions of the Internet. In 1990, Morris became the first individual to be convicted under the Computer Fraud and Abuse Act. His conviction was affirmed upon appeal in 1991, and he served his sentence of three years, which consisted of probation, 400 hours of community service, a fine of $10,050, and the costs of his supervision (US v. Robert Tappan Morris, 1991). As you will read later, penalties have become much harsher.

2.1.3 Application of Laws to Cybersecurity The application of civil law to cybersecurity cases would be tested in 1997 with the Cyber Promotions, Inc. (“Cyber”) v. Apex Global Information Services, Inc. (“Apex”) lawsuit. Here a federal district court ruled that Apex did not apply reasonable security controls to deter or prevent Internet attacks against its customer (Cyber) as they had with other clients. The Apex remedy had been simply to disconnect Apex from their network, which caused foreseeable harm to Cyber’s business. The court’s ruling further noted that other Internet service providers (ISPs) were able to apply a standard of care to prevent similar attacks and that Apex failed in its duty to Cyber (Cyber Promotions, Inc. v. Apex Global Information Services, Inc.). The court blamed Apex's conduct for its decision (Le, 1998). This ruling set the precedent for lawsuits to be based on a computer security duty of care. As computer hackers, nation-states, and organized cybercrime rings emerged, the level and sophistication of methods increased, causing significant financial losses and damage to critical infrastructure. This heightened state of criminal activity prompted the US government to amend existing computer crime legislation aggressively. However, when amendments no longer provided a deterrent, and cybercrime continued to spiral upward, the government passed significant pieces of legislation in 2014 to 2015 to fund, expand, and staff initiatives to combat cybercrime. This legislation included the Cybersecurity Enhancement, National Cybersecurity Protection, Federal Information Security Modernization, and Federal Computer Security Acts that I discuss in section 2.7.1. 2.2 Resolving Cybersecurity Disputes Outside of Court Civil cybersecurity law relates to matters and disputes between companies where the injured party believes the other party failed in its obligation to protect the injured party’s information and interests. Unlike cybercriminal law where the government is responsible for proving the cyber offense, civil cyberlaw requires the injured party to enforce their rights under the civil law by suing the company that caused the harm. Typically, for a lawsuit to have merit, a basis should be established on either a contractual dispute with a failed obligation (contract law) or a failure of one of the parties to exercise reasonable behavior (tort law). But what are the options if you don’t want to go to court? You have some options to resolve a cybersecurity dispute before it reaches a courtroom. These are requests to end the dispute before the trial begins: • Mediation Law. This is a form of alternative dispute resolution where all parties to a potential lawsuit meet with a neutral mediator who guides a process of negotiation to reach a mutually agreeable settlement. The process is voluntary, and the results are not binding. • Arbitration Law. Another form of alternative dispute resolution is where adversarial parties agree on a neutral arbitrator to resolve the matter in a quasi-legal forum.

•

Arbitration can be voluntary or compulsory. Instances of compulsory arbitration are where one of the parties is required contractually or by law to participate in the arbitration. Dispositive Motions. Once a lawsuit is filed, lawyers file requests or arguments for an action by the court to make a decision before the lawsuit moves forward. Motions to dismiss, in which an attorney argues the case is without merit or standing, are among the most common.

2.2.1 Cybersecurity Case Mediation Law Mediation and arbitration offer an alternative to traditional litigation. In fact, judges often recommend using either or both in cyberlaw tort cases when they order parties first to try to reach a negotiated settlement. An important distinction here is that mediation tends to be nonbinding, whereas arbitration is typically binding. In practice, you will find that mediation is rarely used in cybercriminal cases. However, it was ordered by a US district judge in 2000 in the prosecution case of a former Los Alamos physicist who stole computer tapes containing classified nuclear weapons data from a secure computer and refused to disclose what he did with the tapes (Pincus & Loeb, 2000). The precedent has been set that you or an employee of your company could be required to participate in mediation when a judge deems the case is at an impasse. You will find that the legal process tends to be iterative, beginning with mediation as a low-risk approach to solving computer security disputes while preserving your rights for arbitration or a more litigious approach later. TIP: When mediation or arbitration is required by contract, you need to exhaust all avenues before a lawsuit is filed. In numerous cybersecurity cases, courts have summarily ruled to dismiss the case when required mediation or arbitration attempts have not been exhausted.

2.2.2 Cybersecurity Case Arbitration Law Many business disputes are resolved through arbitration rather than pursuing an expensive lawsuit. Many business contracts require the process of arbitration and cybersecuriy contracts are no different. It will be in your best interests to understand clearly the rules of arbitration as well as which contracts your company is a party to that require arbitration. You should begin by reviewing the contracts your company has with cybersecurity service providers to understand clearly the process to resolve a dispute. Arbitration clauses will specify whether they are binding or nonbinding and you should know the difference of both. Computer security-related arbitration cases are growing as a growing number of companies seek to ward off class action lawsuits resulting from a data breach. An arbitration clause in a business

contract aims to eliminate a class action lawsuit by forcing the parties to arbitrate their grievance. However, in 2012 a federal court struck down Zappos.com from forcing dozens of class action lawsuits into arbitration based on the arbitration clause contained in their user agreement. The court ruled that Zappos.com arbitration clause was deceptive and required users to search for the clause making it obscure (Goldman, 2012). The lesson here is that you cannot hold customers accountable for an agreement they were deceptively required to acknowledge. You should review these arbitration clauses with your legal department to ensure that all clauses are clear and that proof of customer acknowledgement is maintained as a vital record. Arbitration is used in data breach, failure to exercise adequate security, and even insider data theft cases. Such was the case in 2016 between Wells Fargo and Union Bank of Switzerland (UBS) when $1.1 million was awarded to UBS in an insider data theft case. An arbitration panel ruled that a departing UBS employee stole confidential electronic information over a period of months before joining Wells Fargo (Sprouse, 2016). What could have dragged on for many years in a lawsuit was efficiently handled through arbitration. If the parties agree to binding arbitration, the ruling is final and without appeal. Although, as discussed above, while arbitration is typically binding, you do have the option of nonbinding arbitration. Nonbinding arbitration allows the parties to escalate their grievance by instituting a civil lawsuit. Once you have agreed to resolve any contractual disagreements through arbitration – binding or nonbinding – domestic (US) dispute resolution typically falls to the American Arbitration Association (AAA); transnational disputes are handled by the International Chamber of Commerce (ICC); and disputes within the financial industry are managed through the Financial Industry Regulatory Authority (FINRA). Unlike civil cyberlaw court proceedings, arbitrations are less about procedures and motions and more about facts. Arbitration cases proceed quickly to trial on the merits of their case where the parties present the facts of the accusation or defense. • Nonbinding arbitration results in letters of intent or memorandums of understanding to clarify an existing or proposed legal or contractual agreement. • Binding arbitration is a judgment that is enforceable by law if not adhered. Arbitration cases are heard by a single arbiter (judge) or a panel of arbitrators similar to a jury. 2.2.3 Cybersecurity Case Dispositive Motion Law As discussed earlier, dispositive motions are legal motions which seek to dispose of all or parts of a lawsuit by dismissing all or some claims of the lawsuit. Simply put, you petition the court to dispose of aspects or claims of the case based on a particular argument. You could request your attorney to request the entire case be dismissed, or a portion of the case. This type of motion can also be used to request the judge to issue a summary judgment or rule immediately based on the

facts presented. You would submit these motions before the trial is scheduled to commence. You may also use motions to resolve issues related to the types of evidence that can be introduced. The following are some of the ways that cybersecurity cases have been dismissed: • Failure to State a Claim Upon Which Relief May Be Granted. Here the facts described in the lawsuit do not actually state a legal claim for relief. An example of this would be the 2008 case of Whalen v. Michaels Stores. In this case, the plaintiff was unable to prove the theft of their credit card produced any damage or harm. A judge in the US District Court of Eastern New York dismissed the case (Siegel, 2016). • Lack of Harm. In January 2016, a Minnesota US District Court granted SuperValu, Inc. a motion to dismiss when plaintiffs were unable to prove actual loss or harm. Claims of potential future harm were dismissed (Tuma, 2016). • Lack of Personal Jurisdiction. Courts will not hear a case where it does not have jurisdiction or the legal power over all the parties in the dispute. An Illinois federal judge ruled Facebook could not be sued under Illinois’ Biometric Information Privacy Act (BIPA) because Facebook does not specifically target or does not have enough connections with the state (Davis, 2016). • Lack of Standing. An Eastern District of Missouri federal judge dismissed the Scottrade, Inc. data breach lawsuit in July of 2016 when plaintiffs failed to prove standing. The judge stated that even after two years, the plaintiffs had not experienced a single case of identity theft (Aubin, 2016). • Lack of Subject Matter Jurisdiction. This is an argument that the court where the lawsuit was filed lacks the authority to rule on the case. In October 2013, a federal judge dismissed a data breach case against LinkedIn (Vaas, 2013). In order to bring a case in federal court, a harm must be concrete and particularized, as well as actual and imminent. The plaintiffs could not prove either, leaving the judge to rule that no case was in controversy, resulting in the ruling that a lack of subject matter jurisdiction existed. 2.2.4 Cybersecurity Case Summary Judgments You may be involved in a lawsuit in which both the plaintiff and the defendant do not dispute the facts of the case. And, even if the facts were in dispute, the overwhelming case law precedent would result in a ruling in favor of the party requesting the summary judgment. For example, if your company were sued in a class action lawsuit, you may agree that the breach actually occurred as a result of your databases being compromised and that customer data was stolen. No argument there, but your attorney could ask for a dismissal of the case because the plaintiffs did not demonstrate that they lost any money. Based on the case law of “standing,” the judge would have no option but to dismiss the case. Another example may be that both parties concede to the facts of the data breach and the plaintiffs can prove a loss. Thus, the plaintiffs could ask for a summary judgment on the amount of their damages. In this example, the judge could rule immediately and award a financial judgment.

Through the use of the dispositive motions, only about 5% of all lawsuits go to trial. The impotant point for you to remember here is that if you utilize available out-of-court settlement strategies, a lawsuit need not be a long protracted and expensive event. 2.3 Duty of Care Doctrine In cybersecurity tort law, the duty of care doctrine is a legal obligation which is imposed on an individual or company to adhere to a standard of reasonable care while entrusted with safeguarding personal or confidential information. It is important that you understand the level of seriousness and fiduciary responsibility incumbent upon your organization. If your role includes direct responsibility for protecting information and assets, you can now be held personally liable for your actions. Your company needs to be fully aware of the foreseeable harm that can occur from cyberattacks. In the context of cybersecurity law, your duty of care is imposed by data breach laws, computer security regulations, or federal computer crime laws. Obviously, you will face the question of how “foreseeable” and predictable an attack might be. For example, courts will likely expect companies to foresee harm in cases where a widely known vulnerability was exploited despite existing patches or safeguards. In cases of a “zero-day attack,” where a previously undisclosed vulnerability was exploited by hackers to steal data, courts will likely be more understanding in determining adherence to your duty of care. TIP: Foreseeable harm can be determined through the results of your company’s risk assessment program. Extend the likelihood and projected impact of threat events to foreseeable harm to customers. Courts have been far less forgiving in arguments against foreseeable harm related to publicly known exploits or security holes.

In 2014, Luis A. Aguilar, the commissioner of the Securities and Exchange Commission (SEC), stated that “there can be little doubt that cyber-risk also must be considered as part of a board’s overall risk oversight” (Aguilar, 2014). The inference is board members of public companies have a fiduciary responsibility to shareholders and investors to oversee cybersecurity efforts. In 2016, bill H.R.5069, the Cybersecurity Systems and Risks Reporting Act, was introduced as an upgrade to the Sarbanes-Oxley Act to include provisions for cybersecurity. The bill would mandate public companies to expand internal controls and disclosures to include cybersecurity. The act also requires the organization to provide the names of a principal cybersecurity systems officer and at least one cybersecurity expert.

Your obligations under the duty of care doctrine cover a broad spectrum, where you are required to provide reasonable security to protect information and honestly and openly disclose material breaches in security. Obligations under the duty of care include: • Duty to provide reasonable security. • Duty to reveal security breaches. • Duty to accurately disclose safeguards. • Duty to protect information. 2.3.1 Duty to Provide Reasonable Security When a direct or implied contractual relationship exists, your company has a duty to protect customer interests and their data. Think of reasonable care in terms of what a prudent person would do under the same circumstances. Once you have identified foreseeable threats, your organization should provide the security controls and policies considered reasonable to protect customers. Courts have interpreted this protection to include actions that are considered commercially sensible to defend against cyberattacks adequately. In the context of cybersecurity, “commercially reasonable” means that your efforts to protect data need to be consistent with past practices of similar companies with similar risks. For example, if you are in an industry in which generally accepted security practices for protecting data include data encryption, and a suitable number of data encryption products and standards are available, then the courts would expect you to provide a similar level of protection. Courts will look at nationally or internationally accepted cybersecurity standards to define your duty of care. Two such standards are ISO/IEC 27001 Information technology – Security techniques – Information security management systems – Requirements (from the International Organization for Standardization), and NIST Special Publication 800-53 – Security and Privacy Controls for Federal Information Systems and Organizations (from the National Institute of Standards and Technology). 2.3.2 Duty to Reveal Security Breaches If your organization experiences a breach in data security, your duty of care requires that you disclose the fact to your customers. You have this duty because of state data breach laws that specify a clear duty to notify customers that their data has been compromised as well as to let them know what security controls were in place at the time of the breach. You also have a responsibility based on common law (previous court cases) principles which govern negligence liability to ensure that your company does not ignore obvious threats or harbingers of an attack. In addition, you are required to disclose cybersecurity breaches based on the SEC’s Division of Corporate Finance document CF Disclosure Guidance: Topic No. 2 – Cybersecurity. This

document specifies the disclosure obligations of public companies relating to cybersecurity risks and cyber incidents. This document also requires public companies to refer to cybersecurity risks and cyber incidents as part of their risk. Some of your primary disclosure obligations include: • Disclose the risk of cyber incidents as a business risk factor. • Disclose conclusions on the effectiveness of cyber controls. • Disclose the financial effect of a cyberattack. • Disclose loss contingencies of the effect of a cyberattack. The SEC cybersecurity disclosure document also provides guidance in how companies can capitalize their investments in cybersecurity; provides customers with incentives to stay with them following a cyberattack; and tells how to account for losses incurred from a breach of security. I recommend you take a closer look at the Accounting Standards Codification (ASC) in which the accounting profession has codified the standards established by the generally accepted accounting principles (GAAP): • ASC 350-40 – Internal-Use Software: This rule may allow you to expense some of the cost of cybersecurity software used to protect internal systems. This would include intrusion detection systems, firewalls, anti-virus, and other types of security software. • ASC 605-50 – Customer Payments and Incentives: This rule may allow you to expense the cost of data breach customer retention expenses consisting of credit monitoring subscriptions, customer security software, and other qualifying expenses. • ASC 450-20 – Loss Contingencies: This rule may allow you to deduct probable and reasonably estimated losses resulting directly from the cyberattack. TIP: You should have a discussion with your company’s chief financial officer (CFO) on how these accounting rules may be used in financial support of the cybersecurity program. Expenses could cover capital investments as well as upgrades in cybersecurity technologies.

What happens if your organization’s chief information security officer (CISO) is at odds with executive management over the disclosure of a security breach? In the case of Yahoo!’s data breaches, reports suggested that Yahoo!’s CISO, Alex Stamos, had tried aggressively to get management to act more strongly regarding their data breaches, but he had not been successful. He ultimately resigned in 2015, assuming the role of CISO at Facebook (Swisher & Wagner, 2016). TIP: Carefully document your communications with senior management regarding the reporting of data breaches to ensure that you are adhering to your duty to disclose. Advise management formally of the legal requirements to disclose security breaches. Such documented communication provides a level of protection for you in the event a tort case is filed against the organization.

2.3.3 Duty to Accurately Disclose Safeguards You have a duty enforced by the law of misrepresentation, which imposes a general obligation to provide accurate statements. Companies have been sued for “puffing up” the types of cybersecurity controls deployed to protect customer information. Misrepresenting your company’s cybersecurity defense capabilities is a serious breach of duty. In one such example, Columbia Casualty, a division of CNA Financial Corporation, sued its former client Cottage Health System to recover a $4.125 million claim payout made as a result of 2014 class action lawsuit. After CNA funded the settlement, they asserted that Cottage Health System misrepresented their security controls on their application under the policy clause of “failure to follow minimum required practices.” A California federal court subsequently dismissed the case without prejudice (meaning CNA can refile later) because CNA failed to exhaust all their non-judicial remedies before filing suit (Anderson, 2015). CNA will continue to pursue the recovery of their payout based on the primary case fact that Cottage Health System failed to encrypt their data as declared on their policy application. What makes this case particularly interesting is the full legal gambit of legal actions. The first was a class action lawsuit brought by those affected by the data breach; the second was the contract dispute over the insurance claim; the third was a lawsuit following the failure to resolve the contract dispute; and the last was arbitration. The point here is that this issue could result in a drawn-out legal battle lasting years. You will need to ask yourself if your company’s data protection disclosure accurately reflects how you protect your customers’ interests and data. TIP: Perform an assessment of your company’s security and data privacy statements regarding your cybersecurity program to validate the accuracy of claimed assurances and data protection safeguards.

2.3.4 Duty to Protect Information If your company is contracted to process or store customer information, you have a legal duty to exercise due care for safeguarding confidential or personal information according to common law. Some statutes specify rights for relief or form of compensation if that duty is not upheld. Even if there is no implied or written form of compensation for a data breach, the affected party may still be able to bring a tort suit based on common law (precedent) legal theories that establish a duty to protect information. Under common law, if you have a contractual relationship with a party, you may be viewed as having the duty to safeguard information from cyberattacks because your company is in the best position to take the necessary measures to protect data. In addition, if a contract exists between two parties, the customer can claim negligence. Make sure you thoroughly understand the

contractual relationship that exists between your company and your customers, and ask yourself if what you are doing is prudent. 2.3.5 State-Based Duty of Care Laws Some states have passed duty of care laws to compel businesses to safeguard customer interests and data. Minnesota passed the first Plastic Card Security Act in 2007. This was the first time a state instantiated into law an industry regulation – Payment Card Industry Data Security Standard (PCI DSS). The act holds companies handling credit and debit card data legally liable for implementing PCI DSS. In 2010, Nevada (Stat. Ch. 603A) and Washington (HB 1149) joined Minnesota with their versions of payment card data breach laws. Other states have incorporated this type of protection in their existing data breach laws as well. You will need to identify any particular duty of care laws passed in the states where your company operates. 2.4 Failure to Act Doctrine After reading about your duties of care, you should have a great idea of your legal obligations to protect information, but what about a failure of care? Your failure to care translates legally to failure to act. Your failure to act is just as important as your duty of care. The differences may appear subtle, but they are important. In failure to act or warn, you have a responsibility to take an action that either avoids further harm or prevents harm. When no established duty of care exists, you may still have an obligation based on your vantage point to reduce or prevent harm. You and others may feel uncomfortable with this doctrine, which is exactly why Good Samaritan laws exist. Obligations under the failure to act doctrine include: • Failure to act duty. • Failure to warn duty. • Good Samaritan law. 2.4.1 Failure to Act Duty Failure to act rules require the exercise of reasonable care to avoid, minimize, and not exacerbate the damages caused by a cyberattack. For example, if you have a contractual obligation to secure your customers’ data or provide a secure method to share digital information, you have established a pre-existing legal duty to act. There also needs to be a connection between the failure to act and the harm caused. Let’s put this in concrete terms. If a company chooses not to encrypt personally identifiable information (PII) on an SQL server which does not have the Microsoft recommended security patches, and hackers gain access exfiltrating all the PII and then steal the identity of your customers causing them financial loss – that’s failure to act. A claimant in that example would argue that your company failed to procure appropriate cybersecurity safeguards, which increased the risk of harm in light of your knowledge that unpatched computers represent a significant risk.

2.4.2 Failure to Warn Duty A failure to warn duty involves someone or some entity knowing of harm, yet choosing not to disclose that danger to protect others. Take for instance the case of Jane Doe No. 14 v. Internet Brands, Inc., DBA Model Mayhem. In 2011, a model went to Florida for an audition with an alleged talent scout found on the website modelmayhem.com. The model was drugged, raped, and filmed at a fake audition. The model sued Internet Brands, Inc., the parent of Model Mayhem; however, the case was dismissed by the Ninth District Court on the grounds that the claim was barred by the Communications Decency Act (CDA), 47 USC. § 230(c) (2012). CDA states that companies cannot be held accountable for the actions of their customers using their websites. That ruling was overturned in 2016 when the judge ruled that the Jane Doe case did not violate CDA and that Internet Brands does have a duty to warn based on their knowledge of rape schemes perpetrated on their website and the special relationship they hold with their customers (Tung, 2016). This case is now going forward. The outcome of the case could forever change the landscape of how website service companies claim CDA as mitigation of their liabilities. Internet companies such as Google commonly apply duty to warn by issuing warnings to their users about specific cyberattacks. The US government also recognized a duty to warn in a July 2015 publication, which said, “Duty to Warn means a requirement to warn US and non-US persons of impending threats of intentional killing, serious bodily injury, or kidnapping.” The document also notes, “This includes threats where the target is an institution, place of business, structure, or location” (Office of the Director of National Intelligence, 2015, pp. 1-2). Whether these specified warnings are interpreted to include cyberattacks warnings is yet to be seen; however, as the intelligence community is comprised of 17 agencies and organizations, all with a cybersecurity component, it is widely assumed that it won’t be long. One of the most visible examples of duty to warn involves a security flaw discovered in 2015 by white hat hackers who use their abilities for good, ethical, and legal purposes of exposing computer security flaws. When hackers demonstrated that they could control a broad range of Jeep safety-critical vehicle systems from up to 10 miles away – including cruise control, brakes, radio, windshield wipers, and transmission – it led to the July 2015 massive recall of 1.4 million Fiat Chrysler vehicles (Ungerleider, 2015). The hack prompted the introduction of H.R.3994 – SPY Car Study Act of 2015. The Fiat Chrysler recall is a great example of a company properly exercising their duty to warn. To determine if your organization has a duty to warn, sit with your legal counsel to consider carefully the relationship you have with your customers and to determine if your company’s operations have a known way of causing harm.

2.4.3 Cybersecurity Good Samaritan Law Most of us have heard of Good Samaritan laws that offer legal protection to those who provide assistance to those whom they believe are injured or at peril. The lack of some type of cybersecurity Good Samaritan law is a top reason that companies cite for not readily sharing cyber threat information with other organizations or the government. That excuse may no longer apply with the passage of the 2016 Consolidated Appropriations Act, which contains an amendment for creating a voluntary cybersecurity information sharing process within the Department of Homeland Security (DHS). Within the act (Section 105) is a provision to promote cybersecurity information sharing by removing the liabilities for companies sharing threat and vulnerability information. Extending liability protection to private entities for sharing cyberattack information essentially elevates this act to a cybersecurity Good Samaritan law. One other important aspect of this act is that information shared with the government is exempt from the Freedom of Information Act, meaning others cannot reverse engineer or otherwise learn about what you shared. To learn more about S.754 - Cybersecurity Information Sharing Act of 2015, read more at https://www.congress.gov/bill/114th-congress/senate-bill/754/text. 2.5 Reasonable Person Doctrine In tort cases, when compared with others in your field or industry, you will be expected to exercise average care, skill, and judgment in the conduct of your duties. Managers of cybersecurity (as well as all company officers) have an obligation to protect information and assets. Therefore, it is important that you understand the doctrine of the standards of care of a “reasonable person.” In a cybersecurity tort case, the standard of care is what separates a negligent act from an accident. Neglecting the proper standard of care to protect information and assets enables the perpetrator to be sued for negligence. Your actions during and after a cyberattack will be compared to what a reasonable person would do in a similar situation. Juries will evaluate your conduct in light of your knowledge level as well. TIP: If you hold one or more security certifications, you will be deemed a security expert and held to a higher standard of conduct. You would be expected to know and follow industry-accepted cybersecurity standards and provide minimum protections required under the law.

An excellent example of how industry knowledge can be used to claim negligence is found in the September 2016 lawsuit filed against Yahoo! A class action lawsuit filed in California by Yahoo! users claimed the company exhibited gross negligence relating to their disclosure of a massive 500 million user account data breach by taking two years to detect the hack. The lawsuit argues that the industry average to detect cyberattacks is 191 days, with 58 days to contain a breach. Yahoo! cybersecurity personnel will likely find it difficult to claim they were acting as a reasonable person would in a similar situation.

2.6 Criminal Cyberlaw The criminal law relating to cyber offenses involves a system of legal rules designed to deter wrongful conduct relating to computers and information. Hackers or malicious insiders who violate these laws face incarceration, fines, victim restitution, forfeiture of assets, etc. Criminal law is adversarial by design, requiring two advocates to represent each side’s position before a judge or jury, who attempt to determine the truth of the case. This is an important point, since your firm may need to be prepared to “argue” its case in the event you are involved in a lawsuit. 2.6.1 Cybercrime Penalties Criminal penalties in the US are categorized into degrees of offense, and cybercrime is no different. Many states, as well as the federal government, base their sentencing guidelines on these levels. Less serious crimes are considered misdemeanors and more serious ones are classified as felonies. Financial penalties, incarceration, probation, and other forms of punishment vary by degree as well. Virtually all cybercrimes are primarily defined as either unauthorized access to a computer, computer tampering, or intentionally altering or destroying data. The degree or level of crime is determined by the amount of damage done, financial loss, and the intent. Table 2-1 is an illustration of the primary degrees of cybercrime. Table 2-1. Cybercrime Degrees Degree Class 1st Degree Cybercrime

Class C Felony

Financial Damage Level $10,000

Maximum Prison Term

2nd Degree Cybercrime

Class D Felony

$5,000

10 Years

3rd Degree Cybercrime

Class A Misdemeanor

$1,000

5 Years

4th Degree Cybercrime

Class B Misdemeanor

$500

1 Year

20 Years

Criminal offense classifications vary by jurisdiction (state and federal). Degree classification can be specified by a letter or number and can include five or more degrees in some instances. You will need to review your respective jurisdictions for specific classifications. Knowing the degrees of crime in your own jurisdiction will help you in identifying the type and depth of forensic investigation necessary to assist law enforcement. TIP: Use criminal degrees to determine the level of effort and cost your organization should invest in a forensics investigation. For example, the cost of investigating a misdemeanor crime may not be justified.

2.7 Federal Computer Crime Statutes Computer crime laws encompass a variety of offenses where computer information is either destroyed, altered, stolen, or otherwise interfered with. Many crime legislation or acts are introduced each year; however, not many become law over the years. It is important for you to know that many of these laws have and will continue to be amended. The year a law was passed does not necessarily make it any less effective because of the amendments. 2.7.1 Significant Federal Laws Addressing Computer Security The following present the most important federal laws passed specifically to address computer crimes: • 1954 – Atomic Energy Act: This is the first federal law that specified the classification and safeguarding of information and made unauthorized access and use a crime. The 1946 version of the act did cover the control of information; however, it referred to the technology as “appliances” since computers were in limited use at the time. • 1986 – H.R. 4718 – Computer Fraud and Abuse Act: Amends an existing computer fraud law (18 USC. § 1030) which had been previously included in the H.R. 5963 Comprehensive Crime Control Act of 1984. Since its inception, the Computer Fraud and Abuse Act has been amended six times: 1988, 1994, 1996, 2001, 2002, and 2008. • 1986 – H.R. 4952 – Electronic Communications Privacy Act: Amends the federal criminal code to extend the prohibition against the unauthorized interception of communications to include specific types of electronic communications. • 1987 – H.R. 145 – Computer Security Act: Designed to improve the security and privacy of sensitive information held in federal computer systems. Creates a means for establishing minimum acceptable security practices for such systems, without limiting the scope of security measures already planned or in use. • 2014 – S.1353 – Cybersecurity Enhancement Act: Facilitates and supports the development of a voluntary, consensus-based, industry-led set of standards and procedures to cost effectively reduce cyber risks to critical infrastructure. • 2014 – S.2519 – National Cybersecurity Protection Act: Establishes a national cybersecurity and communications integration center in the Department of Homeland Security (DHS). • 2014 – S.2521 – Federal Information Security Modernization Act: Implements standards and guidelines for safeguarding federal information and systems from a known or reasonably suspected information security threat, vulnerability, or risk. • 2015 – S.1990 – Federal Computer Security Act: Directs the Inspector General of each executive agency that operates a federal computer system that provides access to classified information or personally identifiable information to submit a report to the Comptroller General and specified congressional committees that includes:

1. A description of the logical access standards used by the agency to access such system, including whether the agency is using multi-factor logical access controls for such access. 2. If the agency does not use such access controls, a description of the reasons for not doing so. 3. A description of the data security management practices used by the agency, including the policies and procedures for conducting inventories of software and associated licenses, an indication that the agency has entered into a licensing agreement for the use of software security controls to monitor and detect threats, or an explanation for why it has not entered such an agreement. 4. A description of agency policies and procedures for ensuring that entities that provide services to the agency are implementing data security management practices. Laws relating to encryption, copyright, privacy, etc. are covered elsewhere within this book. 2.7.2 The US Code A majority of the federal government’s passages within the various computer crime laws come directly or referenced from the US Code, which represents the general and permanent laws of the nation. In fact, the 1986 Computer Fraud and Abuse Act references Section 1030. One of the US Code’s 53 titles includes Title 18 that deals with crime and criminal procedure. Within Title 18 is Chapter 47 – Fraud and False Statements, in which Section 1030 covers fraud and related activity in connection with computers. The current edition is 2010. The US Code specifies that the FBI and Secret Service have authority to investigate offenses and apprehension of offenders violating the criminal codes outlined owing to the seriousness of the crimes. Table 2-2. Primary Crimes Contained in US Code and Their Associated Penalties First Second Offense Section Offense Offense Year(s) Year(s) Obtaining National Security Information (a)(1) 10 20 Accessing a Computer and Obtaining Information (a)(2) 1 to 5 10 Trespassing in a Government Computer (a)(3) 1 10 Accessing a Computer to Defraud & Obtain Value (a)(4) 5 10 Intentionally Damaging by Knowing Transmission (a)(5)(A) 1 to 10 20 Recklessly Damaging by Intentional Access (a)(5)(B) 1 to 5 20 Negligently Causing Damage & Loss by Intentional Access (a)(5)(C) 1 10 Trafficking in Passwords (a)(6) 1 10 Extortion Involving Computers (a)(7) 5 10

Crimes can include misdemeanors and felonies depending on the seriousness of the offense. Crimes committed for commercial use, financial gain, or perpetrated in the furtherance of a criminal act tend to be classified as felonies. 2.8 Procedural Law Procedural law is simply the process that a case follows from beginning to end, regardless of whether it makes it to trial or not. Federal, state, and international courts each have their own set of rules (evidence, pleadings, practices, etc.) referred to as a code of criminal or civil procedure. You will need to be aware of the rules governing how a court hears and determines what occurs in civil lawsuits and criminal cases to ensure due process. A comprehensive penal code does not guarantee successful litigation if the procedural law is not followed. Of particular importance to you will be the rules of evidence. For example, evidence gathering may be restricted to physical evidence when, in fact, you will need to gather virtual evidence that resides in the cloud. Like career criminals in other areas of law, cybercriminals are well versed in methods of leveraging criminal procedure to structure their crimes and avoid prosecution. Procedural law includes: • Rules of criminal procedure. • Rules of civil procedure. 2.8.1 Rules of Criminal Procedure Prosecuting cybercrimes requires a specific set of rules to ensure that evidence is gathered correctly as well as properly presented in court. These rules protect both the rights of the accused as well as the plaintiff. Your understanding of the rules of evidence and criminal procedure is what will guide your approach to incident response and forensic investigation practices. One of the most important components of the Federal Rules of Criminal Procedure relates to search and seizure. Table 2-3 summarizes the three search and seizure rules that you should be most familiar with. Table 2-3. Rules of Search and Seizure Rule Title Rule 41(e)(B) Warrant Seeking Electronically Stored Information Rule 41(f)(1)(B)

Inventory

Purpose Authorizes the seizure of electronic storage media or the seizure or copying of electronically stored information. Provides later review of the media or information consistent with the warrant. Requires that an inventory of all property seized is made in the presence of an officer or credible person as well as the defendant. Data seized can be summarized according to the device on which it resides.

Rule 41(g)

Motion to Return Property

Allows the defendant to motion for the return of seized property. If granted, the court may place conditions on property to ensure continued access.

You can access the entire text of the 2015 version of the Federal Rules of Criminal Procedure at https://judiciary.house.gov/wp-content/uploads/2016/02/Criminal2015.pdf. As one example of our current dynamic legal landscape, in April 2016, the US Supreme Court approved the US Department of Justice’s requested amendment to Rule 41, which would permit judges to issue search warrants for computer investigations, searches, and surveillance outside of the judge’s home district. The US Congress had until December of 2016 to block it before it becomes a permanent amendment to Rule 41. What this means to you is that, in the course of a criminal investigation, your organization or its employees may have their computers searched remotely by the FBI. What would you do if your intrusion detection system detected such an event? 2.8.2 Rules of Civil Procedure (Cyber Tort) What you may not know, however, is that the rules of criminal proceedings apply to your organization whether you are ever involved in a court case or not. In 2006, the Federal Rules of Civil Procedure were significantly revised to require any business that could be included in a civil action in a federal court to retain electronic records in the form of email, instant messages, text documents, and other digital information (logs, etc.). The rules require digital records to be retrievable if economically feasible. Additionally, you are required to show how your organization retains electronic documents, what practices are used to retrieve them, and by what policy and methods files and digital records are deleted. In 2015, the rules were further amended to take into account the increasing size and sophistication of digital data (think big data). Table 2-4 summarizes the important rules pertaining to digital data that you should be most familiar with. Table 2-4. Rules Applying to Digital Data Rule Title Purpose Rule 16(b)(3)(A)(iii)

Contents of Order

Provides for disclosure, discovery, or preservation of electronically stored information.

Rule 26(a)(1)(A)(ii)

Initial Disclosure

Allows the request of a copy or a description by category and location of all documents, electronically stored information, and tangible things that the disclosing party has in its possession, custody, or control and may use to support its claims or defenses, unless the use would be solely for impeachment.

Rule 26(b)(2)(B)

Specific Limitations on Electronically Stored Information

Allows a party to omit discovery of electronically stored information from sources that the party identifies as not reasonably accessible because of undue burden or cost.

Rule 26(f)(3)(C)

Discovery Plan

Provides a format to state issues that may arise regarding the disclosure, discovery, or preservation of electronically stored information, including the form or forms in which it should be produced.

Rule 34(b)(1)(C)

Procedure

Allows a specification of the forms or media that electronically stored information is to be produced.

Rule 37(e)

Failure to Preserve Electronically Stored Information

Allows remedies if electronically stored information that should have been preserved in the anticipation or conduct of litigation is lost because a party failed to take reasonable steps to preserve it, and it cannot be restored or replaced through additional discovery.

You can access the entire text of the 2015 version of the Federal Rules of Criminal Procedure at http://www.uscourts.gov/rules-policies/current-rules-practice-procedure/federal-rules-civilprocedure. TIP: Understanding the rules of discovery that exist before and during a lawsuit will help you structure your information and records management processes to support the rules of civil and criminal procedure.

2.9 State Computer Crime Laws In 1978, Arizona and Florida – under increasing pressure by their attorney generals to have more relevant laws to prosecute computer criminals – enacted the first state-level computer crime statutes. By 1999, every state had passed some form of computer security law. While some states modeled their laws on the proposed Federal Computer Systems Protection Act of 1979, others created statutes from existing property theft laws, considering that theft of information or money in electronic form as essentially the same as a physical act.

The period of 1978 to 1998 provided ample prosecuting experiences for states to decide that a state-specific guideline for drafting and amending computer security laws was required. States wanted a framework that was less dependent on the US federal government and existing theft statutes. In 1999, a council of states was enjoined to create the Model State Computer Crimes Code. The model organized computer protection statutes into eight categories: procedural issues; non-sexual crimes against persons; sexual crimes; crimes involving computer intrusions and damage; fraud and theft crimes; forgery crimes; gambling and other crimes against public morality; and crimes against the state government (Brenner, 2001). State laws tend to identify degrees of computer offenses to reflect the severity of the offense. For example, the crimes classified as aggravated carry higher penalties. Examples of aggravated cybercrime would include significant harm to victims and damage to hacked computers. Penalties can vary widely between states. For instance, in New Jersey a loss of more than $200 is a felony; however, in South Dakota damages must exceed $1,000; and in Connecticut, the threshold is $10,000. A unique aspect of many state computer crime laws is the requirement that offenders have a requisite mental state to be convicted of an offense. This means that before a hacker can be placed on trial, the court automatically orders a mental state evaluation report. Many state laws also include the ability of the victim to sue for civil relief, receiving compensation for their damages. Under many state laws, cybercriminals can also expect to forfeit all their computer equipment once convicted. State jurisdiction is evolving. Initially, states envisioned their laws applying primarily to in-state crimes where the perpetrator and victim both reside. However, advances in technology such as the cloud and virtual computing created a situation where states needed to define jurisdiction in several ways. States face situations where criminals are located outside of their state, however, causing substantial harm and losses to their citizens. Take, for example, a case in which a cybercriminal in one state is hacking into persons or companies in another state. In this case, the hacker has no intent to cause harm in his own state; so the state where his victims reside must request that the hacker’s home state assist in the prosecution. Depending on the state’s relationship and resources, they may or may not cooperate. Some states experiencing this situation have amended their computer crime statutes to specify that those who commit a crime by accessing a computer in another state, will be “deemed to have personally accessed the computer” in both states and can be prosecuted in either state (Brenner, 2001). This jurisdictional nuance has created unintended consequences where state-to-state and federal-to-state jurisdictional issues now exist. In cases where the cybercrime is particularly egregious or aggravated, all states affected may wish to pursue a case resulting in a situation of excess jurisdiction. TIP: To research which states your cybersecurity program must adhere to, visit the National Conference of State Legislations website, where a current list of computer crime statutes is maintained.

Summary The object of this chapter has been twofold. First, it has been to enforce your understanding of your legal obligations and duties as an employee, manager, officer, or director who is directly involved with your organization’s cybersecurity program. Second, it has been to provide you with insight regarding where to begin to align your cybersecurity program with civil and criminal rules of procedure. By now, you no doubt realize that a partnership with your company’s legal department should be viewed as a necessity based on the number of laws that affect what you do and the complexities of these laws. You should start to see where your role (and that of cybersecurity) in the organization is much bigger than you may have previously realized.

References Aguilar, L. A. (2014, June 17). Boards of directors, corporate governance and cyber-risks: Sharpening the focus. Harvard Law School Forum on Corporate Governance and Financial Regulation. Retrieved from https://corpgov.law.harvard.edu/2014/06/17/boards-of-directors-corporate-governanceand-cyber-risks-sharpening-the-focus/ Anderson, R. (2015, May 28). The devil in the cyber insurance details. Advisen News. Retrieved from http://www.advisenltd.com/2015/05/28/the-devil-in-the-cyber-insurance-details/ Aubin, D. (2016, July 14). Scottrade wins dismissal of class action over data breach. Westlaw News. Retrieved from http://www.reuters.com/article/scottrade-cyber-idUSL1N1A023M Brenner, S. W. (2001). State cybercrime legislation in the United States of America: A survey. Richmond Journal of Law and Technology, 7(3). Retrieved from http://scholarship.richmond.edu/cgi/viewcontent.cgi?article=1128&context=jolt Cyber Promotions, Inc. v. Apex Global Information Services, Inc. (United States District Court, for Eastern District of Pennsylvania 1997). Davis, W. (2016, January 25). Judge dismisses “faceprint” suit against Facebook in Illinois. The Daily Online Examiner. Retrieved from http://www.mediapost.com/publications/article/267390/judge-dismisses-faceprint-suitagainst-facebook.html Goldman, E. (2012, October 10). How Zappos' user agreement failed in court and left Zappos legally naked. Forbes. Retrieved from http://www.forbes.com/sites/ericgoldman/2012/10/10/how-zappos-user-agreement-failedin-court-and-left-zappos-legally-naked/#2246b19b2f6b

Hancock v. State, 402 S.W.2d 906 (Tex. Ct. Crim. App. 1966). Le, C. (1998). How have Internet service providers beat spammers? Richmond Journal of Law and Technology, 5(2). Retrieved from http://scholarship.richmond.edu/cgi/viewcontent.cgi?article=1054&context=jolt Office of the Director of National Intelligence. (2015, July 21). Duty to warn. (Intelligence Community Directive 191). Retrieved from https://www.dni.gov/files/documents/ICD/ICD_191.pdf Pincus, W. & Loeb, V. (2000, July 16). Judge orders mediation in government's case against Wen Ho Lee. The Washington Post. Retrieved from http://community.seattletimes.nwsource.com/archive/?date=20000716&slug=4031995 Siegel, M. (2016, January 28). Michaels crafts successful motion to dismiss in data breach case. Cyber Law Monitor. Retrieved from http://cyberlawmonitor.com/2016/01/28/michaelscrafts-successful-motion-to-dismiss-in-data-breach-case/ Sprouse, W. (2016, May 20). UBS wins $1.1m from Wells Fargo in data theft case. OnWallStreet. Retrieved from http://www.onwallstreet.com/news/ubs-wins-11m-fromwells-fargo-in-data-theft-case Swisher, K. & Wagner, K. (2016, September 22). Yahoo has confirmed a data breach with 500 million accounts stolen, as questions about disclosure to Verizon and users grow. Recode. Retrieved from http://www.recode.net/2016/9/22/13021300/yahoo-hack-data-breach-500million-accounts-stolen Tuma, S. E. (2016, January 8). SuperValu data breach class action dismissed for lack of harm. [Web log post]. Retrieved from https://shawnetuma.com/2016/01/08/supervalu-databreach-class-action-dismissed-for-lack-of-harm/ Tung, J. R. (2016, June 1). 9th circuit revives bogus casting call Model Mayhem suit. [Web log post]. Retrieved from http://blogs.findlaw.com/ninth_circuit/2016/06/9th-circuit-revivesbogus-casting-call-model-mayhem-suit.html Ungerleider, N. (2015, July 24). 1.4 million Chrysler cars recalled due to security flaw. Fast Company. Retrieved from https://www.fastcompany.com/3049037/fast-feed/14-millionchrysler-cars-recalled-because-of-cybersecurity-flaws

US General Accounting Office. (1976, April 27). Computer-related crimes in federal programs. (Publication No. FGMSD-76-27). Retrieved from http://www.gao.gov/products/FGMSD76-27 US v. Robert Tappan Morris. 928 F.2d 504. US Court of Appeals, Second Circuit. 1991. Retrieved from https://scholar.google.com/scholar_case?case=551386241451639668 Vaas, L. (2013, March, 08). $5 million class action lawsuit over LinkedIn data breach dismissed. [Web log post]. Retrieved from https://nakedsecurity.sophos.com/2013/03/08/linkedinlawsuit-data-breach/

Chapter 3 Cyber Privacy and Data Protection Law Remember the first time someone told a secret of yours even after they promised never to tell? That is exactly how it feels to hundreds of millions of people every year when they learn their secrets were betrayed by companies they trusted. Knowing that their private health or financial information is somewhere on the dark web going to the highest bidder causes them untold angst. People hold their privacy dear, and when it becomes violated, they will seek ways to punish those responsible for violating their trust. Despite the existence of many privacy laws prohibiting privacy violations, many companies still violate these laws. Understanding privacy law will enable you to keep customers’ secrets and continue to earn their trust. This chapter will help you to: • Understand the types and scopes of data privacy laws. • Know the types of legal actions that can occur as a result of a data breach. • Gain insight into the actions necessary to avoid negligence claims in a class action lawsuit. • Realize that data privacy case law set the precedents for determining data breach litigation outcomes. • Prepare your cybersecurity program in advance to support data breach litigation.

3.1 Common Law of Privacy Quite often various amendments and laws are cited as the basis for privacy rights; however, most citations tend to be wrong. Did you know, for example, the US Constitution contains no expressed right to privacy? The Bill of Rights does, however, provide some protections of privacy in matters of beliefs, searches, home, etc., but stops short of specifying privacy as a fundamental right. If you remember back nearly 30 years during Judge Robert Bork’s Supreme Court confirmation hearing, he stated: “that no such general right of privacy exists.” In the absence of clear guidance from the Constitution, we need to look at the law to establish a basis for privacy. This background is essential to your understanding of how privacy rights are legislatively created within the US. I want to provide a little history in establishing what I believe is an excellent definition of privacy. In fact, courts will often refer to this definition of privacy even though it was drawn from a court case occurring 60 years ago. In this instance of Housh v. Peth, privacy was defined in a way I believe you will agree holds true today: An actionable invasion of the right of privacy is the unwarranted appropriation or exploitation of one’s personality, the publicizing of one’s private affairs with which the public has no legitimate concern, or the wrongful intrusion into one's private activities in such a manner as to outrage or causes mental suffering, shame or humiliation to a person of ordinary sensibilities. (Housh v. Peth, 1956) In the Housh v. Peth opinion, you will see the origins of virtually all data privacy laws past and present. The concepts of legitimate concern and wrongful intrusion form the foundation of local, state, and federal data privacy statutes. This privacy definition should clarify your mission of ensuring customer privacy. 3.2 Privacy Laws One of a government’s principal responsibilities is to protect its citizens, safeguarding them from foreseeable harm. This responsibility to protect extends to cyberspace where lawmakers legislate protection through Internet privacy laws. State and federal governments strive to protect our digital persona or representation by using privacy preserving legislation. Our digital persona is all the private information that describes who we are. These laws extend to virtually every form of digital media and consumer-facing Internet technology. Understanding the legal aspect of privacy law will allow you to make decisions on how you can modify your organization’s privacy practices. I encourage you to leverage the Housh v. Peth definition to incorporate and align your company’s privacy policies. In the US, no single privacy law exists, and it would not be unusual for you to need to be aware of over 60 pieces of state privacy legislation should you have customers throughout the nation.

Add to that various federal and industry regulatory privacy statutes, and that number quickly grows. Enforcement of privacy laws varies. Regulatory agencies may not have the force of law behind them, but they nonetheless have civil financial penalty authority to enforce their privacy regulations. State and federal privacy laws have the force of law behind them, and a severe violation could result in incarceration. 3.2.1 Children's Privacy Laws We have all grown up knowing that children must be protected, for they lack the ability to protect themselves. We keep them from playing in the street and talking to strangers. Protecting them from the evils of the digital world is no different. According to the Pew Research Center, 87% of all teens have access to a desktop or laptop computer (Lenhart, 2015). This creates a potentially large victim pool for Internet-based crimes. We all need to commit to ensuring the privacy rights of children. If your organization interacts with minors digitally, there are specific laws with which you will need to be familiar. 3.2.1.1 Federal Children's Privacy Law In 2000, the Children’s Online Privacy Protection Act (COPPA) went into effect to restrict information collected on children under the age of 13. The act specifies that website providers must adhere to a privacy policy that requires verifiable consent from a parent or guardian for a child to access their site. The website provider must also document that appropriate safeguards are deployed to ensure the safety and privacy of the children using their site. The act restricts the type of digital marketing toward children. In 2013, the act was modernized to reflect the increased use of mobile devices and social networking of minors where cookies and geolocation information can be used to track children's location and online activity. If your organization markets to children or allows children access to any of your company’s digital media, you must comply with COPPA. The following is my summary of the COPPA provisions you would need to follow: • Conspicuously post a comprehensive privacy policy. • Directly notify parents of collection and use data gathered. • Obtain verifiable parental consent. • Allow parents to review the personal information collected. • Protect the confidentiality, security, and integrity of children's information. • Retain personal information for only as long as is necessary. • Refrain from gathering more information than is reasonably necessary. TIP: Turn these requirements into a self-assessment checklist to validate that your organization follows COPPA requirements to protect children's privacy.

The act has a safe harbor provision that allows industry groups, companies, or other entities to submit an application for a self-regulatory framework for complying with the act’s final rule. You can opt in to one of these safe harbor provisions to comply with COPPA. A safe harbor provision is a rule within a regulation that specifies that if you adhere to certain rules of conduct, you will be in compliance with an act. If you use one of these frameworks you will be deemed in compliance with COPPA and subsequently exempt from Federal Trade Commission (FTC) enforcement actions. You can still, however, be fined if your practices are found to have willfully violated your chosen self-regulatory safe harbor framework. As of June 2016, the FTC has approved seven safe harbor programs (Federal Trade Commission – COPPA Safe Harbor Program) including: • Aristotle Age Verification Solution. • Better Business Bureau's Children's Advertising Review Unit (CARU). • Entertainment Software Rating Board (ESRB) Kids Seal. • Privacy Vaults Online Inc. (PRIVO) Safe Harbor, Identity, and Consent Service Provider. • The Internet Keep Safe Coalition (iKeepSafe). • Samet Privacy (kidSAFE). • TRUSTe’s Children’s Privacy Program. The FTC has the authority to issue regulations to enforce COPPA. Curious as to how many companies have been fined over COPPA, I searched the FTC site for “COPPA violations”and was quite surprised over the extent of what I found. In one of the largest enforcement actions, the FTC fined Xanga.com, an online community, $1 million for allowing 1.7 million children under the age of 13 to create an account over a five-year period. Other notable COPPA violators include BonziBuddy Software, the Hershey Company, Mrs. Fields, Skid-e-kids, and Yelp. There appears to be no end in sight regarding COPPA violations. In September 2016, the New York State Attorney General’s Office secured $835,000 in COPPA violation settlements with Hasbro, Mattel ($250,000), Viacom ($500,000) and JumpStart ($85,000). Hasbro was not fined because they participated in the COPPA safe harbor program. The benefit Hasbro enjoyed of participating in a safe harbor act shows the importance of safe harbor acts. 3.2.1.2 State Children's Privacy Laws Some states do not believe that the federal government’s COPPA act goes far enough to protect the children of their state. Subsequently, they have enacted their (own) privacy statutes to protect children. If you operate in California or Delaware or have children as customers there, you will need to be aware of these 2015 laws. California passed the Privacy Rights for California Minors in the Digital World regulation and Delaware passed the Delaware Online Privacy and Protection Act, extending privacy to include removing unwanted information on minors and prohibiting the sale of products known to be harmful to children. Both states have added four more years to the age their statute applies by defining minors as under the age of 18, as well as prohibit the marketing of products known to be harmful to children (e.g., alcohol, guns, and R-rated

materials). The California statute differs from the Deleware law in that it permits minors or parents to remove directly or request the removal of information or photos posted on a website, online service, application (mobile or online), etc. Website or service providers must comply with the removal request. This type of law has been coined in the press as data erasure law. 3.2.2 Healthcare Data Privacy Laws If you have spent any amount of time reviewing the various Health Insurance Portability and Accountability Act’s (HIPAA) proposed, interim, and final rules you may have been as confused as I was. Since 1996, there have been numerous amendments to HIPAA, which makes keeping all of them straight challenging at best. This confusion may be one of the reasons so many companies today still find themselves under investigation for HIPAA violations and paying substantial fines. 3.2.2.1 HIPAA Privacy Rule Much has been written on HIPAA which passed in 1996; however, you have probably heard less about the legal aspect of the Standards for Privacy of Individually Identifiable Health Information, known as the “Privacy Rule.” Originally, Congress did not enact privacy legislation in HIPAA, forcing the US Department of Health and Human Services (HHS) to develop a rule regarding privacy. The Privacy Rule was passed on December 28, 2000, with an effective date of April 14, 2001. What is important for you to know is this rule established a set of standards for ensuring the privacy of health information and specifying the manner in which you are allowed to disclose protected health information (PHI). If you are a health care clearinghouse, health plan, or healthcare provider you are considered a covered entity and required to comply with this rule. The rule also specifies the rights your patients have in controlling the use of their PHI. The enforcement of the Privacy Rule comes under the auspice of the HHS Office for Civil Rights (OCR). Enforcement activities include voluntary compliance oversight and the issuing of financial penalties for noncompliance. The OCR has broad latitude in deciding how to handle violations and can assess penalties up to $50,000 per violation or $1.5 million annually. Published August 14, 2002, the final rule’s effective compliance date was October 15, 2002. By now, you are considered in violation of the act if you have not implemented the required privacy controls within your enterprise. Being equally curious regarding HIPAA violations and fines as I was of COPPA, I set out to the www.hhs.gov website to search for interesting cases. I found that financial penalties for noncompliance can be significant as Maryland-based Cignet Health learned on February 4, 2011, when they became the first company under the act fined for violating its provisions. Cignet’s $4.3 million penalty was a result of their violating 41 patients’ rights when they denied them requested access to their medical records between September 2008 and October 2009.

Remember the act’s provision that patients have control over their medical records? This is an example of what happens if you don’t provide them with timely access to their records. Cignet is not the only example of companies paying substantial fines for violating the Privacy Act. Massachusetts General Hospital paid a $1 million penalty recently for a 2009 incident where an employee left PHI of 192 patients on a subway train in Boston. And in case you are thinking these cases of old don’t represent what happens today, you would be wrong. Take the recent examples of Feinstein Institute for Medical Research that agreed to pay $3.9 million and undertake substantial remediation of their privacy safeguards on March 17, 2016. On July 16, 2016, the University of Mississippi Medical Center (UMMC) agreed to pay $2.75 million for violating the Privacy Act. The sad tale of all these companies paying fines is that the money could have, and should have, gone toward improving their privacy controls in the first place. At this point, you may be asking yourself how so many companies can violate a privacy standard that has been in existence for 16 years. In fact, according to HHS, there have been 137,772 complaints filed under the Privacy Act through September 30, 2016. Of these claims, 24,501 have been investigated and resolved to require covered entities make changes to their privacy practices. The most interesting facts about HHS’ data is that 39 cases resulted in fines totalling nearly $46 million and 584 complaints were severe enough to be referred to the Department of Justice (DOJ) for criminal prosecution (US Department of Health and Human Services, 2016). In cases of willful violations, the OCR can refer to the DOJ to pursue criminal charges. The act states that accessing PHI without authorization and subsequently disclosing the information to a third party can result in a jail term of up to 10 years in addition to a maximum fine of $500,000 for disclosures made for personal gain. The first DOJ criminal referral led to a 16-month prison sentence for a former employee of a Seattle, WA cancer clinic who fraudulently obtained credit cards using PHI and charged about $9,000 in a patient’s name (First Ever HIPAA, 2004). There have been approximately two dozen convictions to date involving incarceration. The OCR Privacy Rule allows state healthcare protection legislation to trump the OCR’s Privacy Rule if their (states) privacy protections are greater than OCR’s. One example of this is the Texas Health and Safety Code’s protection of health records that includes a broader definition of what is considered a covered entity including some private companies. 3.2.2.1.1 Law Enforcement HIPAA Disclosure The act does allow a covered entity to disclose limited PHI under certain circumstances to law enforcement in the course of official business. However, it is critical that a fully vetted legally reviewed policy and procedures document is implemented to prevent Privacy Rule violations. Law enforcement officials do not care about your violating HIPAA when pursuing a case, and your organization will be the one left with the consequences. Table 3-1 provides guidance for the

development security policies covering interactions with law enforcement when patient information is requested or demanded. Table 3-1. Law Enforcement Interaction Security Policy Guidance Reporting Scenario Disclosure Examples Requested reporting - Specific patient name request. - Court order. - Victim information. - Patient in custody. - HIPAA compliant authorization. Mandatory reporting - DUI testing. - Elderly abuse patient. - Child abuse patient. - Patient injured by a weapon. - Deceased patient resulting from a crime. Permitted reporting - Criminal conduct. - Criminal or victim identification. - Avert serious or imminent crimes. For more information regarding law enforcement interactions check out HHS’ Disclosures for Law Enforcement Purpose information at http://www.hhs.gov/hipaa/forprofessionals/faq/disclosures-for-law-enforcement-purposes. You should also create policies in conjunction with your organization’s legal counsel. 3.2.2.1.2 HITECH Act In 2010, the Health Information Technology for Economic and Clinical Health (HITECH) Act was included within the American Recovery and Reinvestment Act (ARRA). The act was primarily designed to promote the adoption of health information technology during the economic crisis in the US. The act included provisions for ensuring the privacy of electronically transmitted health information. On January 17, 2013, the OCR issued the final rule that requires expanded requirements for privacy. If you are a covered entity, you should have been in compliance with the HITECH Act beginning in September of 2013. Here is what the HITECH Act requires you to comply with: • Business Associates (BA). BAs are now on the hook for complying with certain provisions of HIPAA. BAs can include software providers, service providers, and other companies that provide products or services in the health care industry. • Electronic Health Record (EHR) Access. Companies using HER must allow access in a timely fashion to patients requesting their records. • Enforcement. The act provides strict enforcements of its provisions consisting of fines up to $1.5 million per year. Willful neglect offenses will be given the highest priority with some cases referred to the DOJ for criminal prosecution. Enforcement is also extended to business associates.

•

Breach Notification. Covered entities must disclose data breaches of PHI that occurred on unencrypted information. Breaches exceeding 500 records must be reported to HHS, and you will end up on the OCR breach portal or more affectionately known in the industry as the wall of shame (US Department of Health and Human Services, n.d.). Affected patients must also be notified. TIP: Follow the HIPAA Privacy Rule to achieve compliance with the provisions of the HITECH Act.

3.2.2.1.3 HIPAA Breach Notification Rule The Interim Final Rule dated August 24, 2009 (Breach Notification Rule) added a new subpart D to part 164 of title 45 of the Code of Federal Regulations to implement the Breach Notification provisions established in the HITECH Act. The Breach Notification Rule states that “compromises of security or privacy of the protected health information” means that a disclosure poses a significant risk of financial, reputational, or other harm to the affected individual. An objective risk assessment approach is required to determine the risk that the PHI has been compromised. Table 3-2 is a risk assessment questionnaire I created for a healthcare organization. It may help you in performing a risk assessment to determine the extent of compromised PHI. Table 3-2. PHI Risk Assessment Questionnaire No. Risk Question 1 Was PHI included in the data breach? 2 How many records were breached? 3 How many PHI identifiers were disclosed? 4 Can the identifiers disclosed lead to discovering the patient? 5 Did an unauthorized person access the PHI? 6 Was the PHI viewed or acquired? 7 Was the PHI encrypted?

Responses Yes or No 500+ 0 to 18 Yes or No Yes or No Viewed or Acquired Yes or No

This approach is more comprehensive than the four-factor approach suggested by HIPAA. If you want a full scope risk assessment program, the National Institute of Standards and Technology (NIST) offers a comprehensive HIPAA Security Rule Toolkit. Go to https://scap.nist.gov/hipaa/ to download a free copy of the Toolkit. 3.2.2.2 Veterans Benefits, Health Care, and Information Technology Act In 2006 S.3421, the Veterans Benefits, Health Care, and Information Technology Act, requires the Department of Veterans Affairs (VA) to implement agency-wide security and privacy procedures to protect sensitive personal information (SPI) of employees and patients. This act was passed following the 2006 data breach of over 26 million veterans when a VA employee’s computer was stolen from home.

The act requires that in the event of a data breach of SPI processed or maintained by the VA, the VA’s Inspector General must conduct an independent risk analysis of the data breach to determine the level of risk associated with the data breach for the potential misuse of SPI. Based upon the risk analysis, if the Secretary of Veterans Affairs determines that a reasonable risk exists of the potential misuse of SPI, the Secretary must provide: • Credit protection services. • Identity theft insurance. • Notification to affected patients and employees. • A report detailing the findings of the independent risk analysis for each data breach. • A report of compromised sensitive personnel records issued to the US Department of Defense (DOD) Armed Services Committee. • Liquidated damages paid by contractors who caused the data breach. What is quite different about this act is the requirement for liquidated damages if your company was found to be the cause of the data breach. In this context, a contractor is considered in breach of contract for not protecting SPI and must pay a predetermined sum to compensate the VA for the damage caused. This would include the cost of credit monitoring services, notifications costs, etc. More information about the provisions of this bill can be found at https://www.congress.gov/bill/109th-congress/senate-bill/3421. 3.2.3 Federal Privacy Laws Today a framework of robust federal laws covers the protection of personal information. Some of these statutes are very specialized in their scope, while some have broad reaching protections for personal information. The first federal law was published in 1970; since then, by my count, 22 other data privacy laws have passed. In Table 3-3, the federal statutes, acts, and regulations directly or indirectly apply to ensuring the privacy of information or prohibiting invasions of privacy. Table 3-3. Federal Statutes Related to Privacy Year Bill Title 1970 H.R.15073 Fair Credit Reporting Act (FCRA)

1974 1974

513 of P.L. 93-380 S.3418

Family Educational Rights and Privacy Act (FERPA) Privacy Act

1978

H.R.4727

Privacy Protection for Rape Victims Act

Description Protection of personal information related to credit reporting. Restricts the disclosure of educational records. Code of privacy practices for federally held information. Protection of rape victim identities.

1978

H.R.14279

Right to Financial Privacy https://www.congress.gov/bill/95thcongress/house-bill/14279

1984

S.66

Cable Communications Policy Act (CCPA)

1986

H.R.4952

1986

18 US Code Chapter 121

1988

S.496

Electronic Communications Privacy Act (ECPA) Stored Wire and Electronic Communications and Transactional Records Access – Stored Communications Act (SCA) Computer Matching and Privacy Protection Act

1988

S.2361

1991

S.1462

1994

H.R.3355

1994

H.R.2243

Federal Trade Commission Act (FTCA)

1996

H.R.3103

Health Insurance Portability and Accountability Act (HIPAA)

Privacy principles for government information sharing. Prohibits disclosure of PII by video service providers. Protection of subscriber privacy rights. Limits the disclosures of PII in records maintained by state departments of motor vehicles. Privacy protections for children and consumer information. Privacy of personal health information (PHI).

1998

16 CFR Part 312

Children's Online Privacy Protection Act (COPPA)

Protection of minors’ privacy.

1999

S.900

2003

H.R.2622

2003

S.877

Gramm-Leach-Bliley-Act (GLBA) Protection of non-public personal information (NPI) Fair and Accurate Credit Protection of credit card Transactions Act (FACTA) information to prevent identity theft. CAN-SPAM Act (Controlling the Prevents invasion of Assault of Non-Solicited individual privacy through Pornography and Marketing Act) the issuance of spam.

2006

H.R.4709

Video Privacy Protection Act (VPPA) Telephone Consumer Protection Act (TCPA) Driver’s Protection Act (DPPA)

Telephone Records and Privacy Protection Act (TRPPA)

Privacy of customer financial records from government scrutiny. Personally identifiable information (PII) must be destroyed once no longer necessary. Privacy of electronic data transmission by computer. Protects stored electronic communications that are configured to be private.

Prohibits pretexting to obtain personal phone records.

2009

H.R.1

2010

S.2092

2013

45 CFR Parts 160 and 164 H.R.1428

2015

American Recovery and Reinvestment Act – Health Information Technology for Economic and Clinical Health Act (HITECH Act) Fair Debt Collection Practices Act HIPAA Breach Notification Rule

Judicial Redress Act

Data breach notification of PHI.

Prevents invasion of individual privacy. Notification and penalties for violations of PII. Allows European citizens to sue for unlawful PII disclosures.

It is important to note that many of these laws have amendments since their first being passed. For each applicable statute, ensure that you are referencing the most current version by accessing the link provided or searching for the law or act at https://www.congress.gov/. TIP: Create a spreadsheet of the laws mentioned in this chapter that apply to your organization, and include hyperlinks to their sources. Identify the privacy requirements of each law and map those to your organization’s privacy policies, practices, and controls.

3.2.4 State Privacy Laws Every state in the US has at least one privacy law that seeks to protect their citizens from invasions of privacy and theft of PII. California is one such example of a state having many laws. Presently, California has six individual privacy laws covering constitutional rights, health information, online privacy, and other privacy protections. It is not unusual for large organizations to comply with 50 to 60 different state privacy laws, making this extremely confusing. Big companies have chief privacy officers (CPO) to address the multitude of privacy laws. To make this situation even more complicated is that depending on the situation, a state or federal privacy statute can preempt one another. You will need to understand the hierarchy of these laws to ensure you are focusing your efforts correctly. To help you understand the areas state privacy laws focus on, Table 3-4 provides the most common identification attributes you should be protecting. Table 3-4. Common Records Covered State Privacy Laws Record Category Record Type Personal identification - Name - Address - Drivers license - Employment - Passport

Financial identification

Government identification

-

Phone number Photo (minors) Email Medical School records Social Security Numbers Bank Credit card Insurance Loan Tax Utility bills Arrest records (non-public) Military ID Court documents (non-public) Polygraph results Wiretaps

3.2.5 International Privacy Laws More than 90 countries have passed data privacy laws. From Angola to Zimbabwe, these laws vary in scope and complexity. Penalties range from fines to incarceration and in some cases such as Saudia Arabia and Pakistan, even death. The growth in data protection and privacy laws as well as their rapid rate of enhancements can quickly become a compliance nightmare for a cybersecurity or privacy manager. The Asia Pacific region is experiencing the greatest number of new laws, and European countries tend to have the most mature and comprehensive laws. If your organization is a multi-national concern, then you may already be breaking data privacy laws and don’t even know it. Unless you have created a detailed compliance program that maps each country of operation to the privacy provisions of each law considering data collection, storage, processing, transmission, etc., you actually cannot know if you are compliant or not. You must also take into account transborder data privacy provisions considering the legal implications of data in the cloud. For the vast majority of us, we don’t have the resources to keep track of all these international data privacy laws. I can highly recommend that you review DLA Piper’s Data Protection Laws of the World handbook (DLA Piper). 3.3 Data Breach Laws The term data breach seems to garner more fear than data privacy and subsequently the lion’s share of press. I believe this is due more to the impression that a violation of privacy is more about revealing embarrassing information and a breach of data is associated more with financial impacts. According to a recent Verizon data breach report, there were over 100,000 incidents across 82 countries where confidential information was exposed making this by all measure a serious issue that you must address (Verizon, 2016). When you begin viewing the various data

privacy and data breach laws, you will realize a fine line exists between the two types of laws. The important point is that data breach laws predominately deal with the issue of disclosure. Data breach laws follow a similar framework consisting of compliance, triggers, safe harbor, notification, remedies, and penalties. 3.3.1 State Data Breach Laws Except for Alabama, New Mexico, South Dakota, Northern Marianas Islands, and American Samoa, all US states and territories have data breach laws, which are used to enforce data privacy protections (National Conference of State Legislatures, 2016b). The common denominator of these statutes is their specification of PII. If an entity were to intentionally or accidentally disclose PII, the offending entity would be required to make a public notification as well as pay a financial penalty. In reviewing data breach laws, I noticed six common characteristics: 1. Type of Personal Information. Personally identifiable information consists of Social Security numbers, driver’s license numbers, account numbers, credit or debit card numbers, phone numbers, addresses, health information, and other depending on the state. 2. Harm Standard. Notification is not required if, after an investigation, the breached company determines that no reasonable likelihood of harm occurred to customers. 3. Data Format. Laws can cover electronic, paper, or both types of records, as well as consider whether the data was encrypted or unencrypted. 4. Notification Requirement. Upon the confirmation of a breach, the company has an obligation to report to one of more organizations consisting of consumer reporting agencies (e.g., Experian, Equifax, or TransUnion), a state’s Office of the Attorney General, and the FTC. 5. Notice Period. Ten business days to 30 to 45 calendar days. 6. Form of Notification. Notification methods vary by state consisting of mailed written notice, electronic (email), telephone, or fax. The first thing you will need to understand about data breach notifications is the safe harbor provision, meaning that if your data is encrypted, then no notification would be required. That is unless it is in Tennesee. In July 2016, Tennessee became the first state to require breach notification even if the data is encrypted (Embry, 2016). 3.3.2 Federal Data Breach Laws The federal government had not specifically addressed data breach or breach notification in a singular law until the introduction of H.R.1770 – the Data Security and Breach Notification Act of 2015. This bill is designed to protect consumers by requiring reasonable security policies and procedures to protect data containing personal information, and to provide notice in the event of

a breach of security. This bill would result in a law that would differ from other data breach notifications in that a national public notification would be required. The bill was introduced and approved by the committee for further consideration in April of 2015. From that point forward it has been stalled because of discussion over limitations in scope and the preempting of states with existing laws. Many state legislators see this as a duplicate law to their state notification laws. Other industry groups, agencies, and states have voiced concerns over the fact the proposed act applies only to breaches that can be directly linked to identity theft or financial fraud. The FTC would be the enforcement agency for this bill if it becomes law. Another bill, H.R.1704 – the Personal Data Notification and Protection Act, was introduced in March of 2015 to address certain businesses that use, access, transmit, store, dispose of, or collect sensitive, personally identifiable information. An interesting aspect of this bill is that it categorizes reporting requirements by data breach size, with levels of 5,000, 10,000, and 500,000 in any 12-month period. The Department of Homeland Security (DHS) would be the agency to report data breaches. A form of safe harbor is also included in this bill. The FTC would be the enforcement agency for this bill should it become law. I am not convinced either of these bills will become law, at least as they are currently drafted. You should watch these laws as the momentuum on Capital Hill is poised to pass a national data breach law by the next congressional session, 2017-2018, in light of the media attention data breaches have garnered. In case you are asking yourself, “What about the HIPAA and Gramm-Leach-Bliley (GLBA) Acts? Don’t they have data breach provisions?” Yes they do; however, they are specific to health care and financial industries respectively. I discussed HIPAA breach notification previously, which leaves GLBA. GLBA breaches of consumer financial data are guided by the Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice issued by bank regulatory agencies pursuant to GLBA. The guidance requires that a financial institution notify affected customers “as soon as possible” if the institution determines that misuse of “sensitive customer information” has occurred or is reasonably possible (Federal Deposit Insurance Corporation, 2005). If you work for the federal government, you will need to be aware of the 2007 memorandum for the heads of executive departments and agencies titled, Safeguarding Against the Breach of Personally Identifiable Information. The memorandom states, “Safeguarding personally identifiable information in the possession of the government and preventing its breach are essential to ensure the government retains the trust of the American public” (Johnson, 2007). Agencies are required to: • Develop and implement a breach notification policy. • Use encryption to protect PII.

• • •

Develop incident response plans. Limit access to authorized personnel. Create external breach notification protocols.

3.3.3 International Data Breach Laws The DLA Piper’s Data Protection Laws of the World handbook, mentioned in 3.2.5 above, provides a view of data breach laws by country (DLA Piper, 2016). You can access the book and select the breach notification tab to investigate these laws for the countries applicable to your organization. 3.4 Data Breach Litigation The frequency and scope of privacy data breaches are increasing substantially, such as Yahoo!’s September 2016 announcement of the theft of one-half billion customer records when hackers breached their systems in 2014. Yahoo! became aware of the cyberattack only when Yahoo! customer information went up for sale on the dark web, two years after the attack. Three months later, in December 2016, Yahoo! revealed that another earlier hack in 2013 affected more than one billion accounts. The important point about the Yahoo! hack and other examples is that injuries to the plaintiff don’t necessarily need to be immediate. Many data breach lawsuits suffer dismissal from lack of standing. However, some cases are avoiding dismissal by proving future injury. Courts have decidedly taken two approaches to data breach lawsuits, specifically class action lawsuits. On the one hand, courts have ruled in some cases that plaintiffs who cannot show actual injury or cannot prove they made a purchasing decision based on the defendant’s privacy policy have no standing to claim injury. On the other hand, some courts have ruled that injury does not have to be immediate. The Yahoo! data breach case may change some court’s position regarding the issue of future harm. 3.4.1 Injury vs. No-Injury Class Action Lawsuits From July to October 2013, hackers stole 350,000 instances of credit card data from Neiman Marcus Group, LLC (Neiman). The data compromise came to light when some of Neiman’s customers began to notice fraudulent charges on their credit cards in December of that year. Ultimately, 9,200 credit cards would be fraudulently used. In January, Neiman made a public disclosure of the cyberattack. Shortly afterward, several class action lawsuits were filed. These were all consolidated into a single action filed by Hilary Remijas who filed a lawsuit on her behalf and all others similarly situated (class action). The complaint or lawsuit seeking $5 million accused Neiman of negligence, breach of implied contract, unjust enrichment, invasion of privacy, and violation of multiple state data breach laws. Citing the rules of civil procedure, Neiman moved to dismiss the lawsuit for lack of standing. The judge held that even though credit cards were fraudulently used, the fact that customers were reimbursed proved no financial

loss or harm had occurred. A district court dismissed the case based on the fact the plaintiffs lacked standing or a demonstrable harm. The case was appealed, argued, and decided between January and July 2015. It is the result of this appeal that makes data breach law interesting. In a first of its kind legal precedent, the US Court of Appeals for the Seventh Circuit in Chicago, IL found that the Neiman plaintiffs in a data breach case satisfactorily identified harm, even though no harm had occurred. The judge ruled that the plaintiffs proved some particularized, concrete, and redressable injuries as a result of a data breach and that Neiman caused the injury. Subsequently, this court reversed the original court’s decision allowing the case to go forward. The plaintiff claimed injury based on lost time and money resolving the fraudulent charges and efforts protecting themselves from future identity theft. They also claimed financial loss of buying items at the store that they would not have, had they known of the cyber breach and lost control over the value of the personal information. Three things are required to prove standing: injury-in-fact, causation, and redressability. The injury-in-fact requirement was satisfied by the claims that resolving fraudulent charges and protecting oneself against future identity theft were injurious. For causation, the court relied on the Target Corporation data breach case as a precedent, and wrote that when Neiman argued that other data breaches could have caused the plaintiffs’ card compromises, the burden of proof shifted to the defendant to prove they did not cause it. The fact that Neiman admitted the cyber breach and notified all their customers they were at risk and had customer credit cards fraudulently used was enough to prove causation. To meet the requirement of redress (compensation), the plaintiffs claimed that injury would come from future expenses for mitigation cost and damages. The court agreed (Remijas v. Neiman Marcus Group, LLC, 2015). TIP: Ensure that you carefully write the breach notification letter as well as any public disclosure statements in a manner that does not admit liability or determine harm that could be used against your company in a court of law.

The US Court of Appeals for the Seventh Circuit’s ruling goes against a 2013 US Supreme Court decision that states that an injury must be “concrete, particularized, and actual or imminent; fairly traceable to the challenged action, and redressable by a favorable ruling” (Clapper v. Amnesty Int’l USA). The Neiman case may have a significant impact on future privacy violation lawsuits where defendants have been able to have class action lawsuits readily dismissed for lack of standing. In fact, it had already been cited in 2016 in Lewert v. P.F. Chang’s China Bistro, Inc. Here the Seventh District Court overruled a lower court's decision on standing citing its previous Remijas v. Neiman Marcus Group, LLC ruling. Further complicating the outlook of how courts will rule in data breach cases is a second US Supreme Court decision in May 2016 in the case of Spokeo v. Robins. Here the US Supreme Court vacated (overruled) the US Ninth Circuit Court’s ruling approving the class action lawsuit stating that concrete harm could not be abstract, but needed to be tangible and that injury-in-fact was not proved. Here the court ruled

that a plaintiff cannot allege only a statutory violation, but must also show actual injury as a result of the offense to sue in federal court. If you find that your company is named in a data privacy breach litigation, your ability to guide your business using the three requirements of standing will significantly aid your legal defense. Guiding the legal defense requires that you work with your legal department primarily in the area of causation to attempt to prove other factors could have been involved in your customer’s alleged injury. Would you be able to show that your data collection, processing, and security practices would hold up to scrutiny in a court of law? 3.4.2 Data Privacy and the US Supreme Court In July 2014, the US Supreme Court made its strongest case for digital privacy when it ruled the search of a cell phone for incriminating information in a murder case was unconstitutional. In this case, the court unanimously agreed that electronic devices carry many forms of sensitive and private information that trigger privacy protections. The court’s ruling treats these types of dataholding devices like an extension of a person’s home allowing Fourth Amendment protection. I expect that as more cases make their way to the US Supreme Court, further elaboration of digital privacy rights will be enumerated. Three landmark US Supreme Court opinions, described below, may shape how your company would defend itself in a privacy lawsuit. 3.4.2.1 City of Ontario, California, et al. v. Quon On June 17, 2010, the US Supreme Court ruled that employers have the right to access and search employee messages under reasonable circumstances. In this case, a City of Ontario, CA SWAT team member (officer Quan) used his city-provided pager to send and receive sexually explicit messages to his wife and mistress. Officer Quan believed that he had an expectation of privacy because his supervisor stated he could use his pager for personal messaging if he reimbursed the city. The sexting on his city-issued communication device became apparent in 2002 when an audit of officer texting overages was analyzed to determine if the increase was due to personal texting that would subsequently cost the city more money for a different texting plan. The city requested and was provided with transcripts of officer Quan’s text messages from the service provider Arch Wireless. The matter was turned over to internal affairs where only working time personal messages were reviewed. It was found the majority were during working hours and subsequently officer Quan was disciplined. Quan and several other city employees brought suit claiming their Fourth Amendment rights, as well as the Stored Communications Act (SCA), was violated. The court ruled that the city had a legitimate right to audit officer Quan’s texting records, and thus his Fourth Amendment rights were not violated. The amendment guarantees a person’s privacy and security from invasive and

arbitrary government actions. In this case, the city’s actions were neither invasive or arbitrary. Also, before acquiring the pagers, the city published a computer usage, Internet, and email policy that allowed the city to monitor and log all email and Internet use. The policy, however, did not cover wireless network text messaging. This would have been a critical mistake if it had not been for the fact the city verbally and in written form stated that text messages would be considered as email under the policy. The SCA violation naming Arch Wireless as a defendant was viewed as not relevant and was dropped. What is important to note from the US Supreme Court opinion is the statement, “…employer policies concerning communications will, of course, shape the reasonable expectations of their employees, especially to the extent that such policies are clearly communicated.” For you as a manager, you will need to ensure that cybersecurity policies support the rule of law, are clearly communicated, often reminded, only modified in writing, and revised to include new technologies. This opinion shows that you will need to ensure that searches of employee data are done for legitimate business purposes and that employees are aware of their obligations under your company’s cybersecurity policy. 3.4.2.2 Campbell-Ewald Co. v. Gomez On January 20, 2016, the US Supreme Court held that an unaccepted offer settlement under Rule 68 of the Federal Rules of Civil Procedure (settlement offer) without more, cannot moot (nullify) a named plaintiff’s claim. The term without more in this context means just an offer of a financial settlement. In this case, Gomez received unsolicited text messages and filed a putative nationwide class action lawsuit against the Campbell Ewald Company seeking treble (triple) damages alleging willful violations of the Telephone Consumer Protection Act (TCPA). Before the deadline to file for class action certification expired, Campbell made a settlement offer providing Gomez full relief on his TCPA claim. Gomez allowed the offer to expire after 14 days under the Rule 68. Campbell then moved to dismiss the case. That motion was dismissed; however, the lower court granted a summary judgment motion for Campbell on a separate sovereign immunity issue. Sovereign immunity is where the government cannot be sued, and in this case, Campbell was working under a government contract and therefore enjoyed the protection of sovereign immunity. Campbell’s sovereign immunity motion would ultimately be overtuned by a higher court. The case was argued before the US Supreme Court, which wrote the opinion that when a settlement offer is not accepted, “the parties remain adverse; both retained the same stake in the litigation they had at the outset.” The court also ruled that “a federal contractor is not entitled to immunity from suit for its violation of the Telephone Consumer Protection Act when it violated both federal law and the government’s explicit instructions.” (Campbell-Ewald Co. v. Gomez, 2015).

The result of this opinion is that companies will find it difficult to “buy off” the primary plaintiff to avoid a class action lawsuit or hide behind sovereign immunity while working on government contracts. 3.4.2.3 Tyson Foods, Inc. v. Bouaphakeo On March 22, 2016, the US Supreme Court ruled that class action plaintiffs may use sampling to establish injury among the plaintiffs. Although not a data privacy case, the court's decision could have wide-reaching effect in data privacy class action lawsuits. In this case, the plaintiffs used an expert study to show the average amount of time required to don and doff protective equipment to claim overtime pay. The court ruled that this data could be used to establish the injury of loss of income to all plaintiffs because it was also admissible to show the employer’s liability. The result is that the door is now open for data breach class action plaintiffs to introduce expert studies and statistical models to show how all plaintiffs would be harmed by a data breach. TIP: If your company is named in a class action data breach lawsuit, you need the knowledge and skills to perform your risk assessment and statistical modeling to calculate the harm or injury to your customers.

3.4.3 Shareholder Derivative Lawsuits Nothing strikes fear in a CEO or a board of directors faster than the phrase “shareholder derivative lawsuit.” A derivative lawsuit is a lawsuit brought by a shareholder of a corporation on its behalf to enforce or defend a legal right or claim that the corporation has failed to do. When a shareholder feels that management has not done enough to rectify a situation, the shareholder can sue the company to force itself to sue itself. The directors, management, and in some cases other shareholders of the corporation can be named for failing a duty of care. This type of lawsuit is brought when it is deemed the officers and board of directors have ignored an issue, which in the context of our topic is a serious breach of security. A growing number of derivative lawsuits targeting officers and directors have been filed alleging claims of breach of fiduciary duty by not ensuring their company’s cybersecurity program was adequate or challenging their conduct following a breach. Some of the more publicly visible derivative lawsuits involved Target Corporation, TJX Companies, and Wyndham Worldwide Corporation (Wyndham). One of your roles following a data breach should be ensuring the board acts responsibly by providing them with accurate, timely information about what happened. This may be difficult as they may see you as the contributing factor to the breach. You will also need to watch for the passage of the H.R.5069, the Cybersecurity Systems and Risks Reporting Act, as boards of directors may be hiring their own cybersecurity expert to advise them during times of cyberattacks and resulting lawsuits leaving you out in the cyber cold. The actions of a board leading up to and after a cyberattack will be evaluated to determine their duty of care and whether they acted in the best interests of their company and shareholders.

Take, for example, the 2014 lawsuit of Palkon v. Holmes, the first case of a decision in a derivative lawsuit resulting from a data breach. Wyndham suffered three data breaches over a three-year period beginning in 2008 resulting in 600,000 compromised customer records. In this case, Dennis Palkon, a shareholder of Wyndham, sent two demand letters to the board requesting they investigate the breach and sue the employees involved. A demand letter is a letter stating a legal claim which makes a demand for restitution or performance of some obligation. The board considered both letters and responded that it would not be in the company’s best interest to do so. Now that Palkon has met the threshold of bringing a derivative lawsuit (issue of demand letters), he filed suit in the US District Court of New Jersey to force the directors to sue their company. The suit named board member Stephen Holmes and nine other Wyndham directors for breach of fiduciary duty, unjust enrichment, and a waste of corporate assets. Unjust enrichment is a claim where defendants believe that directors and officers received bonuses, or the value of their stock increased, through the act of expense reductions by not investing in cybersecurity safeguards. The case was dismissed without merit; however, valuable lessons can be gleaned from how the board acted during the breaches. These actions proved to the court that they (board) had acted in a fiduciary manner. Their efforts included discussing the cyberattacks and the company’s security capabilities during 14 quarterly meetings during the period of the breaches. The board appointed an audit committee to investigate the breaches. The committee met 16 times and regularly reported back to the board. And finally, the company hired a computer forensics company and technology company to implement cybersecurity program enhancements. The board was also actively involved in the previously filed FTC lawsuit against Wyndham for failures in their cybersecurity program. The actions the board took were anything but gross negligence claimed by Palkon. This case underscores the critical importance of a board involving themselves in a company’s cybersecurity program. The board did have a bit of luck in their case – the derivative lawsuit was filed after the board had acquired three years of a security breach and cyberattack experience. Most such suits are filed immediately not giving a board much time to prepare. TIP: As someone involved directly with your company’s cybersecurity program, you may be personally sued in a derivative lawsuit, meaning the company could be forced to sue you for the failure of duty or negligence in a data breach. Ultimately, a personal lawsuit could end up costing you tens of thousands of dollars in attorney’s fees. You should discuss with your management how your breach-related legal expenses would be handled in such a scenario.

3.4.4 Securities Fraud Lawsuits Before the notion of filing derivative lawsuits, parties would file a securities-fraud lawsuit citing various portions of the Securities Exchange Act of 1934 relating to fiduciary responsibility. This was the preferred method of shareholders to challenge directors and officers following a data breach because it had been successfully used over the years to connect lack of management

oversite to a breach of security. Two of the largest cases to date include Heartland Payment Systems, Inc. and ChoicePoint, Inc. In both cases, the plaintiff alleged the defendants falsely reported their security controls capability in their 10K statements. Although both cases were dismissed, they show that securities fraud can be used to bring suit against an organization resulting in significant costs and preoccupation of key employees to defend against the litigation. If you were not already just a little bit concerned about being part of a data breach lawsuit, then by now you should be on the brink of being cautiously paranoid. Understanding the numerous and varied data privacy laws that apply to your organization’s cybersecurity program should give you an appreciation for the magnitude of work that remains for your cybersecurity program to reach and stay compliant with the dynamic and rapidly changing cybersecurity privacy legislative landscape. 3.5 Privacy Notice Law Have you ever wondered about all those privacy notifications that seem to all arrive about the same time every year? You can thank GLBA for that, since it is the principal law requiring many companies that have consumers to provide an annual update of their privacy policy regarding their information sharing practices (Federal Trade Commission, 2002). You will need to ask yourself if your company’s privacy policy provided to consumers each year is clear and accurate as well as easy to locate. GLBA’s main provisions consist of: • Financial privacy rule, which affords you the control over how your private information is shared among affiliates. • Pretexting provisions, which aim to stop third parties from acquiring your personal information through false pretenses. • Safeguard rule, a requirement to establish and maintain safeguards to protect your private information. Privacy notices apply whenever a company collects nonpublic personal information. How your company gathers and discloses information about consumers is highly regulated by GLBA. If you collect nonpublic personal information directly from the consumer or populate applications with personal information gathered from another source, such as a credit bureau, all the information must be protected by your company. Penalties for violating GLBA can include $100,000 fines for each violation, fines up to $10,000 for each director, and imprisonment up to five years. There are also provisions to double penalties if it is determined that a pattern of illegal activity exists.

3.6 Personal Liability As a result of numerous data breaches, with senior management lawyering their way out of responsibility, aggrieved parities have begun to search for others to blame outside of a company’s board of directors. Shareholders and plaintiffs are turning their attention increasingly toward chief information officers (CIO) and chief information security officers (CISO). In 2015, the CIO of the US Office of Personnel Management (OPM), Donna Seymour, was personally named in a $1 billion lawsuit by the American Federation of Government Employees citing her negligence in securing over 21 million employee and contractor records. This was the second breach to occur on her watch. This lawsuit is poised to set some concerning precedents for CIOs and CISOs alike, and this trial has been closely watched throughout 2016. All correspondence related to cybersecurity sent by CIOs and CISOs is open for discovery and will be analyzed to determine the duty of care claims. TIP: CIOs and CISOs should send any security assessment reports and correspondence to in-house legal counsel to preserve client-attorney privilege ensuring these types of reports are not available for discovery motions. A file transfer protocol (FTP) server or document management solution can also be used to submit sensitive documents to the legal department to preserve clientattorney privilege.

3.6.1 Directors and Officers Insurance If anyone has ever told you that titles don’t matter, well, here is a case in which they do. Directors and officers (D&O) insurance protects the officers and directors, including board members, against allegations of wrongdoing. It protects them against liabilities not already indemnified by the corporation. Companies have this type of insurance because officers and directors can make mistakes and may be personally liable for those mistakes. D&O insurance just may be the time that titles matter. Having the title of security manager rather than chief information security officer may make all the difference in your being covered under the blanket protections of your company’s D&O policy. D&O insurance protects actions of directors, officers, and board members against lawsuits based on failures in employment practices, reporting errors, decisions exceeding authority, and failure to comply with regulations and laws among others. However, D&O policies do not cover any acts of fraud or other types of intentional criminal offenses. Of particular importance to you are the protections for failure to comply with regulations or laws. In the event your company is sued for negligence in security controls, will you be covered and your personal assets protected? D&O policies can vary widely; so it is important that you sit with your business’s insurance risk manager and have a discussion of whether or not the D&O policy covers you. If not, it may also be time to ask for that raise and change in title!

3.6.2 Preemptive Liability Protection If you feel that your company is not taking your advice to improve cybersecurity and has made public statements overstating its security capabilities, you could take the whistleblower route to mitigate your liability exposure. For example, in August 2013, LifeLock Inc.’s former CISO, Michael Peters, filed whistleblower complaints with the FTC, Securities and Exchange Commission, and the US Department of Labor for LifeLock’s failure to comply with a previous 2010 FTC order to improve security controls. Although it took nearly four years, the FTC filed a motion for contempt against LifeLock, alleging failure to have a comprehensive security program, making false claims about security customers, failing to meet the 2010 recordkeeping requirements, and other claims. LifeLock offered a $20 million settlement that was rejected by the FTC. In 2015, LifeLock settled with the FTC for $100 million. In reaching the final settlement, LifeLock claimed it had complied with the previous order by achieving certification under the Payment Card Industry Data Security Standard (PCI DSS), a proprietary information security standard. LifeLock’s CISO’s report on the inadequacies of their security controls was enough to convince the FTC that the LifeLock’s PCI DSS certification was insufficient to prove the company acted reasonably. The FTC did not need much convincing as a number of previous enforcement actions over data breaches occurred to companies who also held PCI certifications. In fact, other data breach examples I cite in this book such as Neiman Marcus and Target were all PCI compliant. Several months after Peters filed the whistleblower complaint, he was terminated by LifeLock, prompting him to file a complaint against his former company in March 2014 for violating the whistleblower provisions of the Sarbanes-Oxley Act and DoddFrank Act by terminating his employment. Peters, as LifeLock’s CISO, performed an initial risk assessment and determined that his company’s auditing, event logging, incident response, security awareness, security monitoring, and vulnerability testing were far less than the minimum requirements of accepted security practices required by the 2010 FTC order (Ross, 2014). Peters subsequently reached an out of court settlement, and the whistleblower case was dismissed in November 2015. 3.7 Data Disposal Laws If you thought that complying with data privacy and data breach laws would be enough, think again. Your responsibility for protecting the privacy of your customers’ data continues until the data makes it to the grave – in this case, the end of life and ultimate disposal of information. Thirty-one states and Puerto Rico have passed laws governing the destruction and disposal of data (National Conference of State Legislatures, 2016a).

This aspect of the data lifecycle is so critical that the FTC has even published a rule on how consumer report information should be disposed (Federal Trade Commission, 2005a). On June 1, 2005, the Fair and Accurate Credit Transactions Act (FACTA) Disposal Rule went into effect requiring you to take appropriate measures to dispose of sensitive information derived from consumers (Federal Trade Commission, 2005b). Take time to review your data lifecycle policy and practices to trace each stop your data makes along the lifecycle to verify that proper privacy protections are implemented including the proper disposal, erasing, or permanent elimination of data no longer required. Table 3-5 is the data compliance lifecycle I developed that has served me well. You may find it useful in tracing your data through your organization. Table 3-5. Data Compliance Lifecycle Stage Summary Data creation Prevent data alteration during creation. Data use Prevent data misuse and handling when used. Data transmission Prevent data interception and alteration. Data processing Prevent data alteration when transformed by processing. Data storage Prevent theft, destruction, or errors when backed up. Data archival Prevent theft, destruction, loss, or errors when archived. Data disposal Prevent reconstitution; ensure total destruction. 3.8 Electronic Wiretap Laws Have you ever wondered if monitoring employee email, website activities, or running surveillance with data loss prevention (DLP) products on employee communications was violating any privacy laws? Well it just may be violating the Electronic Communications Privacy Act (ECPA) if you have not made the proper disclosures. First and foremost, you must ensure that a policy exists and clearly states that your company reserves the right to monitor any digital, audio, or video data sent over company communication lines and networks. Employees need to understand that there should be no expectation of privacy. If you are monitoring data and communications relating to customers, it can be done only if there is a legitimate business need, such as quality assurance, and you have their consent. The ECPA provides for fines and imprisonment of up to five years for violations unless you adhere to the following: • One-Party Consent. The ECPA does not prohibit interception of communications if either the sender or the recipient gives prior consent. However, consent cannot be implied and must be given prior to the interception.

•

Business Use Exception. The ECPA does not prohibit interception if it is conducted within the ordinary course of an employer’s business and the employer has a legal interest in the subject matter of the conversation. TIP: If your company has a bring-your-own-device (BYOD) policy, employees, guests, or contractors need to acknowledge that any courtesy communications provided while they are onsite using their own devices may be monitored as well.

This is an area where you are highly encouraged to meet with your legal department to review and approve employee monitoring policies. Summary If this chapter has left you with anything, it should be that ensuring the privacy of your customers’ data is serious business and that you could be held personally liable if your clients’ secrets make it into the wild. Your involvement in a data breach could make you a central figure in a lawsuit, and you require assurances from your company that you and your assets would be protected from personal liability. You should also realize that your actions related to protecting customer information need to meet or exceed published standards and laws, since that will be the standard against which you will be judged.

References Campbell-Ewald v. Gomez (Supreme Court 2015) Clapper v. Amnesty International USA, et al. (Supreme Court 2013). (District Court for the Southern District of New York 2012) DLA Piper. (2016). Data protection laws of the world. Retrieved from http://www.dlapiperdataprotection.com/ Embry, S. (2016, April 19). State data breach notification laws just got crazier. Law Technology Today. Retrieved from http://www.lawtechnologytoday.org/2016/04/crazy-quilt-workstate-data-breach-notification-laws-just-got-crazier/ Federal Deposit Insurance Corporation. (2005, April 1). Final guidance on response programs: Guidance on response programs for unauthorized access to customer information and customer notice. Financial Institution Letters. Retrieved from https://www.fdic.gov/news/news/financial/2005/fil2705.html Federal Trade Commission. (2002). In brief: The financial privacy requirements of the GrammLeach-Bliley Act. Retrieved from https://www.ftc.gov/tips-advice/businesscenter/guidance/brief-financial-privacy-requirements-gramm-leach-bliley-act#notice Federal Trade Commission. (2005a, June). Disposing of consumer report information? Rule tells how. Retrieved from https://www.ftc.gov/tips-advice/business-center/guidance/disposingconsumer-report-information-rule-tells-how Federal Trade Commission. (2005b, June). FACTA disposal rule goes into effect June 1. Retrieved from https://www.ftc.gov/news-events/press-releases/2005/06/facta-disposalrule-goes-effect-june-1

Federal Trade Commission. (n.d.). COPPA Safe Harbor program [List of currently approved organizations]. Retrieved November 16, 2016 from https://www.ftc.gov/safe-harborprogram First ever HIPAA privacy criminal conviction. (2004, August 26). Retrieved from https://www.crowell.com/NewsEvents/AlertsNewsletters/all/First-Ever-HIPAA-PrivacyCriminal-Conviction Housh v. Peth, 165 Ohio St. 35 (Supreme Court of Ohio 1956) Johnson III, C. (2007, May 22). Safeguarding against and responding to the breach of personally identifiable information (Executive Office of the President, Office of Management and Budget memorandum M-07-16). Retrieved from https://www.whitehouse.gov/sites/default/files/omb/memoranda/fy2007/m07-16.pdf Lenhart, A. (2015, April 9). A majority of American teens report access to a computer, game console, smartphone and a tablet. Pew Research Center. Retrieved from http://www.pewinternet.org/2015/04/09/a-majority-of-american-teens-report-access-to-acomputer-game-console-smartphone-and-a-tablet/ National Conference of State Legislatures. (2016a, January 12). Data disposal laws. Retrieved from http://www.ncsl.org/research/telecommunications-and-informationtechnology/data-disposal-laws.aspx National Conference of State Legislatures. (2016b, January 4). Security breach notifications laws. Retrieved from http://www.ncsl.org/research/telecommunications-andinformation-technology/security-breach-notification-laws.aspx Remijas v. Neiman Marcus Group, LLC, No. 14-3122 (7th Cir. 2015) Ross, J. (2014, March 24). Former exec blows whistle on LifeLock. Courthouse News Service. Retrieved from http://www.courthousenews.com/2014/03/24/66399.htm US Department of Health and Human Services. (2016, September 30). Enforcement Highlights. Retrieved November 16, 2016 from http://www.hhs.gov/hipaa/forprofessionals/compliance-enforcement/data/enforcement-highlights/index.html US Department of Health and Human Services, Office for Civil Rights. (n.d.). Breach portal: Notice to the Secretary of HHS breach of unsecured protected health information. Retrieved November 16, 2016 from https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

Verizon. (2016). 2016 data breach investigations report: Executive summary. (2016). Retrieved from http://www.verizonenterprise.com/resources/reports/rp_dbir-2016-executivesummary_xg_en.pdf

Chapter 4 Cryptography and Digital Forensics Law In the previous chapter you learned that the ability to keep secrets is a vital trait your company must have especially when those secrets include customers’ personally identifiable information. However, when those secrets are transmitted over the Internet or are left unattended on storage devices, they can seep into the wild. One of the ways you can ensure the secrecy of your company and customer information is cryptography, which scrambles data to prevent it from being read by prying eyes. But when things go wrong, you are going to want to know how and why it happened, which is where digital forensics comes in. Through the use of digital forensics, you can identify who is trying to take your customers’ secrets and, if they succeeded, you can detect how this was managed. This chapter will help you to: • Understand the nuances of encryption law. • Recognize the role constitutional amendments play in data protection. • Leverage safe harbor laws to insulate your company from data breach liability. • Understand the legal implications of conducting a forensic investigation. • Know how to avoid losing a cybersecurity court case on procedure.

4.1 Brief Overview of Cryptography Before I discuss cryptography laws, it is only fair that I provide you with a brief overview of cryptography and how it is used to protect data. Cryptography is the process of transforming readable data (cleartext) into unreadable data (encrypted), and protecting the data while it is stored or transmitted to another party. The encrypted data can be accessed only by those you specifically authorized to access the data. They can access the data because you provided them with the keys (encryption key) to unlock the data. For example, if you are the sending party and responsible for encrypting the data and creating the encryption key, the receiving party decrypts the data using the encryption key you provided. Here is where I need to get a little technical, so work with me. The encryption key is the secret sauce of encryption algorithms. An algorithm is a mathematical formula that performs the encryption on the data turning cleartext into meaningless cipher text or encrypted data. An encryption key is a random set of bits in a cryptography algorithm that is used to jumble data to the point where it can no longer be recognized. The key length is determined by the number of bits in the key. Think of the bits as the notches in your house key; the more notches, the more difficult your lock will be to pick. The longer the encryption key length is, the harder it will be for cybercriminals to crack the encryption code revealing the data. Nearly 20 different key types are used in encryption algorithms. Some examples of bit key lengths include 128, 192, 256, 384, 512, 1024, and 2048. Each bit key length has a projected end of life, which is an estimate of how soon hackers with the right technology could crack the encryption code. For example, the National Insitute of Standards and Technology (NIST) estimated that 2048-bit keys are safe until 2030 (Barker, 2016). Table 4-1 provides a summary of the most popular encryption methods. Table 4-1. Popular Encryption Methods Encryption Overview Method Asymmetric Known as public key encryption, this popular algorithm uses different, key algorithms mathematically related keys for encryption and decryption or a pair of keys. A public key is used to encrypt the message, and a private key is used to decrypt the message. Elliptic curve This is another form of public key encryption that uses an algorithm algorithms function over points that belong to elliptic curves. Sounds complicated and it is, but what is important about this method is that it allows smaller keys to be used and the encryption is just as effective as other algorithms. It is gaining in popularity because the smaller keys make the encrypting and decrypting of data fast. Hash Also known as digital fingerprinting algorithms, these algorithms do not use algorithms keys, but instead, convert cleartext to a hash value (mixed up data) making it impossible for the contents or length of the plaintext to be recovered.

Symmetric key algorithms

Without the passcode, the process is irreversible. This method is ideal for authenticating messages between senders and receivers. Known as secret or private key encryption, these algorithms share the same key for encryption and decryption. In this example, both parties have access to the secret key. Many security practitioners no longer use this technique because it is considered to be easily compromised by hackers.

Cryptography is at the heart of virtually all data security approaches, and your understanding of the methods used will aid your understanding of cryptography laws as well as how to keep customer data private. 4.2 Cryptography Law Cryptography is universally applied throughout the world to protect business, government, and military information. Because cryptography can shape privacy, free speech, and in some cases human rights, many countries regulate cryptography. How can encryption have such an impact on our fundamental rights? Consider the fact that people living under an oppressive regime can use encryption to communicate securely without the threat of going to jail for exercising their freedom of speech. Encryption also enables anonymity of people to disclose the wrongs of their government or others by sharing information without fear of arrest. The primary reason encryption has the attention of governing bodies revolves around its dual-use capability, meaning that it can be applied for both commercial and military purposes. Cryptography law or encryption law is legislation that prescribes the conditions and rules by which data should be stored or transmitted in a secure manner to prevent anyone other than the intended audience from gaining access to the data. Some laws even designate who is allowed to encrypt data. If your company is multinational, you will need to know which countries restrict the import or export of cryptographic technology; limit the import of encrypted data; and restrict or prohibit the use of encryption within their borders. TIP: Hold a discussion with your cybersecurity program’s security architect or engineer to make sure your company is in alignment with cryptography laws and to understand the encryption key length used within your organization’s infrastructure components. Be aware that encryption will be found in hardware, software, applications, websites, and networks.

4.2.1 Export Control Laws Laws restrict the export of cryptography technology and encryption code to certain nations, governments, or companies. The US regulates cryptography in the interest of national security. In fact, the US government classifies cryptography as a munition (guns, tanks, bullets, etc.), treating it similarly to military weapons listing it in the Code of Federal Regulations (CFR) US Munitions List (US Munitions List, 2013). Since 1996, the US has been a participant in the Wassenaar Arrangement (WA), so named for the city in the Netherlands where countries, now

numbering 41, have come together to create policies on exporting conventional arms and dualuse goods and technologies. The WA is not a treaty and therefore not legally binding. The US Department of Commerce Bureau of Industry and Security (BIS) does, however, rely on the WA to control the export of encryption technology. I gained quite a bit of experience with the WA while working for a global Internet security software company where we exported intrusion detection systems, firewalls, and other security products internationally. One section within the WA’s document List of Dual-Use Goods and Technologies and Munitions List is “Category 5 - Part 2 Information Security” which specifies cryptography export restrictions. This section makes clear that security items or security functions should be considered part of the provisions if they are components of other functions or items. For example, if a controlled encryption technology is on the list and that same technology is used within another product or service, then the product or service containing the technology is also considered on the list. Some exclusions to the list include products accompanying their user for personal use; products that meet all of a specified number of benchmarks including public availability; and unalterable cryptography algorithms. At present, you cannot export encryption technology exceeding 56 bits for symmetrical algorithms and 512 bits for asymmetric algorithms. The instructions of this section are quite complicated. I recommend that you review this section with your legal department. If you wish to read in detail more about the WA, you can go to its website at www.wassenaar.org. The US classifies export destinations into four country groups (A, B, D, E) according to the Export Administration Regulations (EAR) Supplement No. 1 to Part 740 (US Department of Commerce, 2016). For the export of encryption, groups B, D:1, and E:1 are the most important: • B – Relaxed Export Control Countries. This category has over 165 countries listed. You can download a copy of the EAR Supplement to ensure that you have the most current list. • D:1 – Strict Export Control Countries. Armenia, Azerbaijan, Belarus, Burma, Cambodia, China, Georgia, Iraq, Kazakhstan, Kyrgyzstan, Laos, Libya, Macau, Moldova, Mongolia, Russia, Tajikistan, Turkmenistan, Ukraine, Uzbekistan, and Vietnam. • E:1 – Terrorist-Supporting Countries. Cuba, Iran, North Korea, Sudan, and Syria. During the fall of the Libyan government in 2011, I was advising an energy company that could not remove its licensed encryption technology as they evacuated their foreign workers. I instructed their security team to use any means necessary to destroy the equipment. Had they failed to destroy the equipment, they would have been required to report the fact to the US State Department. The point here is that you will need policies and procedures for removing licensed encryption technology from restricted import countries to ensure that it is not left behind, potentially to fall into the wrong hands.

TIP: Your cybersecurity incident response program should include a process to handle the loss or theft of cryptography-embedded technology imported into a restricted country.

4.2.2 Import Control Laws Some countries restrict the importation of encryption technology for fear of the introduction of nation-state sponsored encryption backdoors. Nation-states are areas where the inhabitants share the same culture, language, and religious beliefs. Think North Korea, Iran, Russia, and China – top hacker havens. (These may be contrasted to sovereign-states, independent nations with complete power over themselves, such as the US and UK.) In our context, these nation-states are areas where hackers promote their political or religious ideology with the financial support and legal protections of their government. Each nation-state would have its own motivations for placing backdoors in their encryption technology to enable spying or introduce security vulnerabilities in their technology infrastructure. The backdoor is a way to access the software undetected by using a second secret programmed opening, or backdoor. Right or wrong, many countries mistrust US technology as they believe the National Security Agency (NSA) places backdoors in US encryption products. You can thank Edward Snowden and WikiLeaks for this perception. As a counter to this and the belief that other countries do the same (China, Russia, etc.), a growing number of countries require the use of their statesponsored encryption algorithms. Another reason for restricting encryption technology is that some countries do not want an encryption technology used within their borders that offers higher-level encryption capability than their standard. In China, import regulations require companies to turn over their encryption source code when selling a product including encryption keys to certain industries such as financial institutions. Many countries such as Russia require a license for importing encryption technology, which includes Internet downloadable encryption software. Violating a nation’s import encryption laws can range from a technical violation sanction to fines and incarceration. Table 4-2 is an inventory of countries requiring an encryption import license that I made from reviewing the Wassenaar Arrangement. Table 4-2. Countries Requiring Encryption Import Licenses Country Issuing Agency Belarus Belarus Ministry of Foreign Affairs or the State Center for Information Security of the Security Council Burma Contact the US State Department China Beijing Office of State Encryption Administrative Bureau Hungary International Import Certificate – contact the US State Department Iran Supreme Council for Cultural Revolution Israel Director-General of the Ministry of Defense Kazakhstan Licensing Commission of the Committee of National Security

Moldova Morocco Russia Saudi Arabia Tunisia Ukraine

Ministry of National Security Contact the US State Department Federal Security Service & Ministry of Economic Development and Trade (both required) Virtually banned, contact the US State Department National Agency for Electronic Certification Special Telecommunication Systems and Protection of Information of the Security Service of Ukraine

4.2.3 Cryptography Patent Infringement A less common nonetheless very expensive way to run afoul of the law is to infringe on a cryptography patent. Be aware that if you use encryption technology within your company’s products or services without thinking of the patent implications, that act may have costly consequences. If your business is designing an in-house application or developing one for commercial purposes, you should not use copyrighted cryptography code. Instead, you should use open source or encryption code with an expired license. You will need to pay special attention to cryptosystems, which are popular because they contain everything required to generate an encryption key, encrypt the data, and decrypt the data. Take care because such systems contain multiple encryption algorithms, each one potentially covered by its own individual patent. 4.2.3.1 Patent Trolls If you are asking yourself how companies could find out about your company’s encryption patent infringement, the answer in patent trolls. Many patents are acquired and held by patent holding companies whose sole purpose is to enforce patents and seek legal damages for those who infringe on their patents. They are referred to as patent trolls. This has resulted in the lucrative business practice of “patent trolling.” Patent trolling gained national attention in 2013 when a group of banks was sued for using patented encryption technology to conform to PCI DSS standards (Kitten, 2013). If you’re wondering about the degree to which patent trolling is a problem, consider the PricewaterhouseCoopers, LLP 2016 Patent Litigation Study that reported patent infringement cases amounted to $10.2 billion in 2015 settlements, reaching the highest point in 10 years. Lawsuits related to computer hardware and software accounted for 14% or $1.4 billion of the total settlements (Barry, Ansell, Arad, Cartier, & Lee, 2016). Although no specific data exists on encryption cases, they would fall within the computer and software category, and I suspect they alone run into the hundreds of millions of dollars based on the sheer number of encryption patent infringement cases settled in the past few years. In December 2015, CryptoPeak Solutions sued nearly 70 other companies, including Progressive Insurance, Netflix, and Scottrade, over the use of their encryption patent (Abel, 2015). In May,

CryptoPeak Solutions acquired US Patent 6,202,150 for auto-escrowable and auto-certifiable cryptosystems TLS-secured websites that operate using elliptic curve cryptography (ECC) (Kumar, 2015). Once CryptoPeak acquired the patent, all that was needed was to troll the Internet looking for companies using the ECC technology to find patent infringers. You may remember my reference to ECC from section 4.1. CryptoPeak Solutions began suing infringing companies in bulk in the Eastern District Court of Texas. Some companies choose to settle, while others will battle it out in court. This is an excellent example of jurisdiction, which was covered in Chapter 1, section 1.6. Patent trolls leverage jurisdiction to their advantage. Once patent trolls realized the Eastern District Court of Texas handled 43.6% of all patent infringement cases and that a single judge in the district handles 20% of all patent infringement cases in the US, they began commonly requesting this venue based on the court's experience in this particular field of law (Brachmann, 2016). TIP: Make it a priority to take an inventory of applications, hardware, and software itemizing each type of encryption used throughout your company. Each method of encryption should be traced to the original patent or its license that enables your company to legally use the encryption program. With expert assistance, you will then be able to assess any patent infringement exposure and put in place corresponding strategies to eliminate the exposure.

4.2.4 Search and Seizure of Encrypted Data Criminals have entered the digital age using laptops, smartphones, and other technologies to commit crimes. Law enforcement is challenged with how to obtain digital evidence without violating the Fourth Amendment. The Fouth Amendment, also commonly referred to as “a man’s home is his castle” doctrine, assures citizens that they are free from unreasonable searches and seizures of property by the government. The rules for seeking physical evidence differ significantly from searching digital evidence. In an era of rapidly evolving law, where the US Supreme Court has even weighed in on the importance of balancing law enforcement requirements with the rights of individuals, it's important for you to understand search and seizure laws. 4.2.4.1 Digital Search Warrants In almost all cases, a search warrant is required to search for digital evidence. As with a physical evidence search warrant, probable cause is also required in digital search warrants. Some interesting differences exist, however. For example, where a physical search warrant would name a street address, a digital search warrant could name an IP address. In this case, law enforcement would be able to search the digital devices at the other end of an IP address. Law enforcement agencies are training officers in know-how to incorporate digital-specific language in their search warrant application. Executing search warrants becomes complicated when law

enforcement realizes the data they seek is encrypted, since seizing a computer with inaccessible data is of no value. 4.2.4.2 Forgone Conclusion Rule The Fifth Amendment becomes involved when law enforcement wants the password for decrypting the seized data. The Fifth Amendment protects citizens from self-incrimination and in this case would prevent law enforcement from compelling someone to disclose what is in their mind, such as a password to encrypted files. However, some courts have used something called forgone conclusion. For example, a forgone conclusion argument could be made if a defendant 1) admits to owning a computer, 2) admits the files were encrypted, and 3) acknowledges they have the ability to decrypt the data. To further the argument for forgone conclusion, the computers must be known to the government and the government must have good reason to suspect the data exists on those computers. Judges have been known to compel a defendant to disclose the encryption keys using forgone conclusion as a reason. 4.2.5 Encryption Personal Use Exemption Next time you are packed and ready to head to the airport for an overseas vacation or business trip, ask yourself, “Will I be violating any laws?” You just may. Some countries ban or significantly regulate the import or export of encryption technology. This includes the laptop you packed for your trip. To ensure you don’t violate international law, you will need to verify if the country you are visiting has a ban on bringing in laptops, smartphones, or other technology with encryption installed. You will also need to remember that once in the country you would not be able to produce any products with the encryption technology you had with you. For example, you could not use the software on the laptop to create PDFs, documents, or other products that were encrypted at a higher encryption level allowed by law. At the very least, you risk having your technology confiscated, or face fines and even incarceration. You are also restricted from creating, enhancing, sharing, selling, or otherwise distributing the encryption technology while visiting, so don’t make copies of software with illegal encryption and hand it out to colleagues or friends when traveling in one of these encryption restricting countries. You can use the following list of the 38 of 41 members of the Wassenaar Arrangement that extend personal use provisions to know where you can bring your laptop and smartphone while traveling. • North America: Canada and the US. • South America: Argentina. • Asia-Pacific: Australia, Japan, Republic of Korea (South Korea), and New Zealand. • Europe, the Middle East, and Africa: Austria, Belgium, Bulgaria, Croatia, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania,

Slovakia, Slovenia, South Africa, Spain, Sweden, Switzerland, Turkey, and United Kingdom. 4.3 State Encryption Laws In October 2008, Nevada law NRS 597.970 became the first state law specifying the use of encryption for the transmission of electronic data for companies conducting business in the state (London, 2008). The level of seriousness and scope of these state-based encryption rules began to change in May 2009, when Massachusetts passed an encryption law that applies not only to companies doing business in the state, but to every company regardless of location with information on a state citizen. Since that time other states have amended their existing data breach notification laws to include a provision to encrypt information. The most comprehensive state data encryption law that I have seen to date is Washington bill HB 1078 passed in 2015 requiring data encryption that meets or exceeds NIST cryptography standards. I would expect more states in the coming years to pass similar laws. TIP: Begin advising your cybersecurity team now to move toward a NIST or similar standard of encryption if your company does not already leverage the NIST encryption guidelines to protect information. The process could take years, and starting now is the prudent approach.

4.3.1 State Encryption Safe Harbor Provision All of the states except for Alabama, New Mexico, and South Dakota have incorporated a safe harbor provision within their data breach statutes (National Conference of State Legislatures, 2016). A safe harbor provision in this context provides a data breach reporting exception in cases of a data breach where the data was encrypted. Safe harbor provisions – to use a metaphor from the board game Monopoly – are your “Get out of jail free” card. You would need to disclose a data breach only if your data was unencrypted or you used an encryption method that was considered below minimum standards. In reviewing the state data breach laws, I found the following conditions would require a breach notification: • When data is unencrypted. • When data is encrypted, and the encryption key is disclosed. • When data is unredacted. • When data encryption does not meet NIST standards. • When data encryption does not fulfill 128-bit or higher algorithms. These reporting exceptions are becoming stricter as states realize that even though companies have encrypted data, they may have left the keys vulnerable to theft. You will need to verify the safe harbor provisions of each state having a data breach rule applicable to your business for you to guide your organization toward a state of compliance properly.

4.4 Fifth Amendment and Data Encryption I mentioned in 4.2.1 that the Fifth Amendment protects you from being a witness against yourself. I am sure you have seen just enough of Court TV or CSPAN to see defendants “plead the Fifth.” In the US, the only person who can force someone to reveal information is a judge, and that can only be done if you do not have a valid constitutional right not to disclose the information. The rule that courts normally follow in the US is that the government cannot compel a witness to make a self-incriminating testimonial communication. Does this mean you would not be able to plead the Fifth when asked to disclose your encryption keys? The answer is: maybe not. Testimonial communication sounds fancy, but it is quite simple. Testimonial communication is a situation in which you know something, but if you revealed it, it would incriminate you. Think of it as a secret about yourself. The rationale behind this rule is to avoid forced confessions. It is important for you to note that your company or corporate entities, in general, do not have the right to “plead the Fifth” as it only applies to individuals. Testimonial communication is what is in your mind, not what is in your possession. Another way to look at it is the combination of a lock vs. an encryption key. The police can compel you to turn over a physical key to a lock, but not the encryption password that you memorized. Law enforcement can fingerprint you without your consent or violating your rights, but what about biometric fingerprint authentication? This is something that you have and not something you know. Law enforcement could require or force you to swipe your finger to unlock data basically in the same manner they require a fingerprint at the police station. I am waiting for the first case like this to see if this would ever happen. TIP: To preserve your right of no self-incrimination, use a combination of fingerprint authentication and a passcode or passphrase. In the event you were forced to swipe your finger on the biometric pad, you would still have a secret code. This is referred to as two-factor authentication.

How does this apply to the digital world when the government requests your data? The encryption of digital documents has complicated search and seizure warrants. Can someone be compelled to give up their passwords or encryption keys to seized data? Presently the US does not have a key disclosure law making it illegal for law enforcement to request or force a user to turn over passwords or encryption keys. Absent of a key disclosure law, US courts have still issued subpoenas compelling individuals or companies to provide the password or keys to access encrypted data. Court opinions on convincing users to decrypt their data have varied widely. Some rulings have stated that if law enforcement is confident of the contents of an encrypted disk, then surrendering the encryption keys do not violate self-incrimination. However, the US Court of Appeals for the Eleventh Circuit ruled on 24 February 2012 that forcing the decryption of one's laptop violates the Fifth Amendment (United States v. Doe, 1988). The controversy over encryption key disclosure was also played out in the media when the Federal Bureau of Investigation (FBI) issued a National Security Letter in 2013 to an encrypted

email service called Lavabit LLC. The FBI wanted to access the emails of Edward Snowden, one of Lavabit’s 410,000 customers. The company chose to go out of business rather than turn over their private keys. Now that is really keeping a secret! The 2016 Apple case is another example of a case in which the government has requested a company to decrypt data. Here, following the tragic December 2015 San Bernardino, CA terrorist attack, the FBI wanted to compel Apple to recover data from the iPhone of one of the shooters. The FBI was so determined to force Apple to unlock the iPhone that it found a judge to issue an order based on a 227-year old law called the All Writs Act (Lewis, 2016). Basically, an All Writs Act allows a judge wide latitude to issue just about any type of court order to compel companies or people to do something within the limits of the law without exactly citing a particular law. The difference between the Lavabit and Apple cases is that Apple had the financial resources and legal team to resist the government order. 4.5 Laws and Regulations Requiring Encryption A growing number of laws and regulations now require data encryption for data-at-rest and datain-transit. Some of the laws and regulations state you may use something other than encryption if it is deemed more capable; however, frankly nothing is more effective than encrypting data. Knowing which laws, and what level of encryption is required, can mean all the difference in whether your company is sanctioned, fined, or sued following a data breach. Table 4-3 is a list of significant US encryption laws and regulations of which you should be aware. Table 4-3. Significant US Encryption Laws and Regulations Governing Body Statute Department of Health and Human Services (HHS)

2003 – Health Insurance Reform: Security Standards – Section §164.306 requires the encryption of PHI based on a risk assessment.

Department of the Treasury, Office of Foreign Assets Control (OFAC)

2004 – 31 CFR Parts 500 to 597 restricts the shipment of advanced technology to restricted countries.

Financial Industry Regulatory Authority (FINRA)

2015 – Regulation S-P of the Securities Exchange Act of 1934 (Regulation S-P, 17 CFR §248.30), Rule 30, requires that all registered stock brokers, dealers, and investment companies implement safeguards to protect customer records and information. Since the rule went into effect, there have been 13 Disciplinary Letters issued through September 2016 including over $3 million in fines. 2014 – IRS Publication 1075 – Requires the IRS as well as all local, state, and federal governments receiving personal tax information to follow NIST encryption standards to protect personal and financial data.

Internal Revenue Service (IRS)

US Department of State – Directorate of Defense Trade Controls

US Patent and Trademark Office

1976 – International Traffic in Arms Regulation (ITAR) – Controls on military items and technologies – Department of State, Directorate of Defense Trade Controls (DDTC) – Arms Export Control Act (AECA) – 22 CFR Parts 120 to 130. Ensures that advanced encryption technology does not get into the wrong hands. 1998 – Digital Millennium Copyright Act (DMCA) – Prohibits the creation, transmission, and dissemination of encryption software that reduces the legitimacy of US encryption algorithms. The act restricts encryption methods which threaten the integrity of Digital Rights Management (DRM) encryption.

4.6 International Cryptography Law Perspective Encryption has become a global issue just as data sharing is a global business imperative. Many countries have passed data encryption legislation that specifies what should be encrypted, who should own the keys, what type of encryption can be used, and where encryption should apply. In fact, there has been some discussion among world leaders and technologists about creating global encryption legislation or at the very least a standard. This debate is likely to be ongoing as many countries disagree about issues relating to government backdoors, violations of free speech, and impacts on human rights. I expect that the nationalist stance on data encryption laws will prevail in light of widely publicized document leaks (WikiLeaks) and the US states’ concern over other governments having access to their information. In fact, some of my customers have shared with me that encryption laws and their vagaries have affected their global competitiveness. Having worked for a global company, I learned that China, France, Hong Kong, Israel, and Russia are the most aggressive enforcers of encryption law. Thus, I advise you to review encryption not only as a privacy-preserving technology but also as a business-driver. Table 4-4 is a list of significant international encryption laws and regulations of which you should be aware. Table 4-4. Significant International Encryption Laws and Regulations Statute Overview th This 2010 directive is the European version of the SarbanesEuropean Union: 8 EU Company Law Directive Oxley Act. Mandatory encryption of financial reporting data and other related sensitive information at-rest, in-transit, and during processing must become part of the data’s lifecycle. Companies are required to implement encryption technologies for network connections that carry financial reporting data and related sensitive information. European Union: Directive This 1995 directive does not have language that is technology95/46/EC specific; however, data-at-rest and in-transit is referenced. The

Canada: Personal Electronic Documents Act Information Protection and (PIPEDA) Germany: Federal Data Protection Act [Bundesdatenschutzgesetz (BDSG)] Japan: Personal Information Protection Law (PIPL) United Kingdom: Data Protection Act 1984

directive states that any responsible entity must take appropriate measures to protect individuals’ personal data. Encryption certainly falls under this category. Bill C-475 was proposed in 2013 to update PIPEDA with more specific protections and accountability requirements for organizations handling personal data but was defeated in January 2014. The 2009 act is designed to ensure public and private organizations and companies protect sensitive customer data throughout the collection and dissemination processes. 2003 – Article 20 of the act states that any entity handling personal information must take necessary measures to prevent leakage, loss, or damage to that information. This 1984 act urges UK organizations to take appropriate technical measures to avoid unauthorized access to or use of private data. Encryption should be one of those measures.

4.7 International Key Disclosure Law Key disclosure laws are legislation that requires individuals to surrender their cryptographic keys to law enforcement upon request. In my former role as a global cybersecurity architect, I have found that at least 14 countries have a key disclosure law. You may make a sigh of relief, as the US presently has no such law. The purpose of these types of laws is to enable law enforcement to perform digital forensics without the risk of damaging evidence in the course of attempting decryption. One of my tasks working for a global oil and gas company was writing travel advisories. I found while writing advisories for Australia, Canada, France, India, South Africa, United Kingdom, and few others that key disclosure laws varied in procedure and penalties with some just offering mild incarcerations of a few months to others that included multi-year prison terms. Some of these countries have even entertained adding a third-party key escrow provision where companies would have to deposit their encryption keys with a third-party escrow service to be only accessed by law enforcement. TIP: A policy should be published instructing employees traveling to countries with key disclosure laws how to respond to law enforcement requests to surrender their encryption key passwords.

4.8 Legal Aspects of Digital Forensics One of the most legally defined domains of cybersecurity is digital forensics. Evolving regulations and case law have affected how digital evidence is gathered and presented in a court of law. Digital forensic experts not only must have a tradecraft in cybercrime investigations, but also a working knowledge of the laws that govern evidence collection. Lack of care and attention

to forensics law involving the collection of digital evidence can make that evidence inadmissible in court. 4.8.1 Preservation Order In the event a lawsuit is filed against your company, and suspicions arise that data material to the case may be altered or destroyed, a court can issue you a preservation order. Such an order instructs you, the defendant, to refrain from destroying data before the issuance of a search warrant, or in civil case, formal electronic discovery. Complying with preservation orders can prove to be very disruptive to business operations. Freezing information and preventing it from alteration or loss can be complex, especially when the court-ordered preserved data is comingled with normal production data. For example, you may need to solve service level agreement disputes when certain data are not available for use when required. Courts will evaluate the need to issue your company a preservation order based on the following criteria: 1. Can it be demonstrated that you will likely destroy data if not protected? 2. Will irreparable harm be caused to the plaintiffs if the order is not issued? 3. What is the burden imposed on your company if the order is granted? I gained quite a bit of experience in the area of preservation orders while working at an international hardware and services company with 300,000 employees and over $100 billion in annual revenue. In the normal course of business, we were sued numerous times and with each lawsuit came a preservation order. The main problem we faced was that preservation orders were in force for years. The length of preservation orders forced us to deal with situations such as loss of computer equipment with court-ordered data and the retirement of employees processing preserved data. You will need policies and procedures on how to backup and protect preservation order information when desktops and laptops are replaced, personnel change jobs and are no longer covered by the order, or any number of other scenarios. TIP: Preservation orders can live for many years; you will need to design and implement a process of reminders to users covered under a preservation order at least every six months to retain all information specified in the order. You will also need to define strategies to preserve information throughout the technology lifecycle and conduct sample validations that data specified by the order still exists.

4.8.2 Digital Best Evidence Rule Working more than my fair share of investigations, I was always asked, “How do you provide the best digital evidence to support a lawsuit in which your company is involved?” You might be asking yourself that if you can just make a copy of data on a hard drive, will a printout do just as well? Thankfully, under the US Federal Rules of Evidence, there is a rule to cover those questions. This rule is called the best evidence rule, meaning that when a plaintiff or defendant

(you) wishes to submit evidence to a court, that evidence must be the original or the best you can find. You will need to provide a full explanation of why an original cannot be produced. In the case of digital evidence, it is technically and logistically impossible to ship a computer system with attached storage devices to a courtroom or send to a plaintiff for discovery. The only valid way to offer the evidence is to make a copy of the data that resides on the storage drive. You will need to provide assurances that the use of this secondary evidence will meet the criteria specified by the best evidence rule. Under the Federal Rules of Evidence, a printout or readable output of data stored in a computer that reflects the original document can be deemed to be the original. Because digital evidence can be subject to alteration and its authenticity is often challenged in court, you will need to prove the authenticity of the information provided. The following are the types of digital evidence admissible in court: • Computer stored/generated documents. • Email. • Social network communications and postings. • Text messages. • Website data. TIP: In the eyes of the court, a forensically protected image of a hard drive is equal to the original hard drive. In an investigation, forensic experts use the first image of a hard drive, referred to as the best evidence, because it is closest to the source.

4.8.3 Digital Chain of Custody One of the ways to prove the authenticity of evidence and that it has not been altered is to carefully track its gathering to submittal, or in other words its chain of custody. You will need to know who came into contact with the evidence and why. Chain of custody issues are critically important if you are going to submit digital evidence in a court of law, particularly how you acquired, protected, and tracked the evidence. The level of seriousness of the offense should dictate the degree of professionalism invested in the chain of custody. An internal employee investigation involving sexting to another employee can be done more casually than a class action lawsuit or cybercrime offense where the evidence will be required in a court of law. I have seen many instances of methodically collected digital evidence challenged and dismissed from a court case for lack of proper chain of custody. You will be responsible for creating, documenting, and maintaining a chain of custody for each item of evidence. Accomplishing this should include visual proof of evidence retrievals, such as pictures or videos. It will enforce your claims of authenticity and admissibility of the evidence in the courtroom if you video record the digital evidence gathering.

4.8.4 Digital Data Admissibility in Court Digital evidence admissibility refers to the requirements for admitting evidence in a civil or criminal cybercrime. Before evidence can be admitted, both the plaintiff and defendant can argue the weight or merits of the evidence to challenge its admissibility. Common arguments against the admissibility of evidence involve the technology used to collect the evidence and whether the evidence was somehow modified during collection or within the chain of custody. When gathering digital forensic evidence, you must satisfy three conditions: • • •

The authenticity of the data – is the data original and not altered or corrupted after its creation? The relevancy of the data – can the data help prove the claim in question? The reliability of the data – is the data complete and accurate to support a claim?

It is not enough that you may be able to provide proof of the offense; you must also prove that the methods used meet the above criteria the courts will use to judge the admissibility of the evidence. You don’t want a case that you’re involved in to be tossed because of sloppy work. 4.8.5 Digital Evidence Spoliation Spoliation is hiding, destroying, or altering information that is evidence. Spoliation of digital evidence occurs when a party violates its duty to preserve data under a preservation order. While spoliation can occur accidentally or intentionally, willful destruction of digital information can draw harsh penalties including fines and incarceration. Spoliation can occur only after a lawsuit or issuance of a court order – before that, the information was yours to do with what you wished. Courts will also evaluate pre-litigation spoliation if they feel you knew a lawsuit was imminent. Courts have rather broad powers when it comes to determining spoliation. They will weigh your organization’s data retention policies, your intent, and how material the data would be to the case. Your answers to those questions will determine if the spoliation was negligent or criminal. Spoliation has become part of tort law with all states now having spoliation evidence laws. In an example of non-willful spoliation, a court found that Prudential Insurance Co. did not willfully destroy data but that their actions were negligent nonetheless and imposed a $1 million sanction (Prudential Insurance Company of America Sales Practice Litigation, 2001). The lesson here is the court may not find you intended spoliation, but it may fine you for poor data management practices. In 2016, the highly visible data spoliation case of Move v. Zillow found that a former Move executive destroyed computer evidence that would have proved he stole confidential information from Move to use at Zillow. The court held a spoliation hearing to establish if the destruction of the data was too great to allow a fair trial. As a result of the hearing, the judge allowed Move to inform the jury of the spoliation and describe how it hurt their case. Zillow agreed to pay $130 million to Move to settle the case shortly thereafter (Collins, 2016). I would hazard a guess that Zillow realized how damaging the evidence of destroying data would be to their case and subsequently chose to settle the case rather than to continue the trial, risking a more expensive jury outcome.

As a manager, you have a duty to protect data before and after litigation. Data spoliation is considered a serious legal offense and you could end up serving time. TIP: Be sure that your data retention program includes spoliation prevention policies. A court will look at your documented data retention practices to evaluate accidental spoliation. Data that is normally scheduled for deletion could be viewed as a normal event rather than under suspicion for spoliation.

4.8.6 Expert Witnesses In the event you are involved in a cybersecurity case, you will need at least one expert witness to side with your argument. Selecting computer forensic experts must be done with great care since your experts will have to hold up to cross-examination concerning their expertise. During my first time as an expert witness, I was surprised at how opposing council studied my background in detail and challenged every aspect of it in an attempt to discredit me. Fortunately, the judge interrupted after 45 minutes of grilling and declared that I clearly met the criteria of an expert witness. The experts selected should also have experience in testifying under oath and communicating simply and effectively to a lay jury. Most times companies have already hired forensic experts before a lawsuit is even filed. There is some risk that the plaintiff may question the expertise of your expert witness and how the data was gathered. In the event this occurs, you may be required to start over and formally request the appointment of a neutral third party to perform the forensic investigation. In the event this occurs, remember that the expert witness is serving as an officer of the court who will be impartial to the plaintiff and defendant. 4.8.7 Security Consultant Client Privilege We have all heard about client-attorney privilege, but what about security consultant-client privilege? If you hired an outside security consulting firm to investigate a data breach, can you keep the results of their investigation out of court? You just may be able to, based on a key data breach litigation ruling made by the Middle District Court of Tennessee in the Genesco, Inc. v. Visa U.S.A., Inc. case. The court ruled that Visa could not have access to security assessment reports produced by two security consulting companies hired by Genesco (Genesco, Inc. v. Visa U.S.A., Inc., 2013). The court ruled that the assessment reports were protected by client-attorney privilege. This ruling is important, as it confirms that cybersecurity consultants’ work product and communications are confidential when counsel retains the consultants for the purpose of obtaining technical assistance to enable counsel to render legal advice to a client. For this to be true, legal counsel must be the lead in a security investigation.

4.9 State Digital Forensics Law You may be surprised to learn that a growing number of states require licensed private investigators (PI) to be involved in digital forensic investigations for the evidence to be admissible in a court of law. I have lived in four states (Georgia, Michigan, New York, and Texas) with laws requiring PI involvement in digital forensic investigations. I was curious which other states also had that requirement and found California and Nevada now require PI involvement (Legal Compliance, n.d., para. 4). I have talked to colleagues who tell me that they have found other states going a bit further than a PI license by requiring a Digital Forensic Examiners license or a minimum of three years as a sworn law enforcement officer. It is important for you to research the forensics laws in your state. I first came across the PI requirement in 2008 while working with a Texas-based company investigating a breach of security. I was asked to review the findings of their recent forensics investigation. As this was my first time working a forensics case in Texas, I familiarized myself with the rules of evidence. It was at that point that I realized my client could not submit any of their proof in a Texas court of law. What the client would soon learn was that a year earlier Texas passed the Private Security Act requiring that a licensed PI collect forensic evidence for it to be admissible in a state court. Their hard lessons were that evidence was illegally acquired, a violation of the chain of custody occurred, and they could not terminate the employee they suspected of committing the offense. Summary This chapter showed you the legal dos and don’ts of data encryption as well as some unique ways your company can violate encryption laws. You may never have thought about being sued by a patent troll before reading this chapter. And who would have thought you needed to hire Dick Tracy to perform your digital forensics? Because it is not a matter of “if,” but “when,” your company is involved in a cybersecurity lawsuit, you should now have an understanding of the processes involved in gathering and protecting evidence. Now that you are grounded in what is happening today in cybersecurity and privacy, it is time we look to the future in Chapter 5.

References Abel, R. (2015, December 2). So-called “patent troll” sues dozens of major firms over encryption use. SC Magazine. Retrieved from http://www.scmagazine.com/cryptopeak-solutionshas-sued-nearly-70-high-profile-companies-over-encryption/article/457367/ Barker, E. (2016, January). Recommendation for key management. Part 1: General. (US Department of Commerce, National Institute of Standards. NIST Special Publication 80057 Pt. 1 Rev. 4). Retrieved from http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r4.pdf Barry, C., Ansell, L., Arad, R., Cartier, M., & Lee, H. (2016, May). 2016 patent litigation study: Are we at an inflection point?. Retrieved from http://www.pwc.com/us/en/forensicservices/publications/assets/2016-pwc-patent-litigation-study.pdf Brachmann, S. (2016, January 8). 2015 litigation trends highlight increased patent litigation, decreases in file sharing cases. IPWatchdog. Retrieved from http://www.ipwatchdog.com/2016/01/08/2015-patent-litigation-trends/id=64774/ Collins, J. (2016, June 6). Zillow to pay realtor.com $130 million over trade secrets. The Orange County Register. Retrieved from http://www.ocregister.com/articles/zillow-718419-realestate.html Genesco, Inc. v. Visa U.S.A., Inc. (US District Court for the Middle District of Tennessee, Nashville Division 2013) Kitten, T. (2013, June 25). Patent lawsuits target eight banks: Litigation takes aim at core banking systems, functions. Bank Info Security. Retrieved from http://www.bankinfosecurity.com/patent-trolling-targeting-banks-a-5858/op-1

Kumar, M. (2015, December 1). Patent troll – 66 big companies sued for using HTTPS encryption. The Hacker News. Retrieved from http://thehackernews.com/2015/12/patenttroll-https-encryption.html .

Legal compliance: Diversified forensics complies with all relevant state laws pertaining to evidence collection. (n.d.). Retrieved on October 20, 2016 from http://www.diversifiedforensics.com/legal-compliance/ Lewis, D. (2016, February 24). What the All Writs Act of 1789 has to do with the iPhone. Retrieved from http://www.smithsonianmag.com/smart-news/what-all-writs-act-1789has-do-iphone-180958188/?no-ist London, R. (2008, February 27). Some state data encryption requirements more effective than others. [Web log post]. Retrieved from http://www.privsecblog.com/2008/02/articles/policy-regulatory-positioning/some-statedata-encryption-requirements-more-effective-than-others/ Move v. Zillow, No. 14-2-07669-0 (Washington Superior Court 2014) National Conference of State Legislatures. (2016, January 4). Security breach notification laws. Retrieved from http://www.ncsl.org/research/telecommunications-and-informationtechnology/security-breach-notification-laws.aspx Prudential Insurance Company of America Sales Practice Litigation. Marvin Lowe and Alice Lowe, appellants (US Court of Appeals, Third Circuit 2001) United States v. Doe, No. 86-1753 (US Fifth Circuit Court 1988) US Department of Commerce, Bureau of Industry and Security (BIS). (2016, November 4). License exceptions: Supplement no. 1 to part 740. Retrieved from http://www.bis.doc.gov/index.php/forms-documents/doc_view/452-supplement-no-1-topart-740-country-groups US Munitions List. 22 CFR pt. 121.1 (2013). Retrieved from http://www.pmddtc.state.gov/regulations_laws/documents/official_itar/ITAR_Part_121.p df

Chapter 5 Future Developments in Cybersecurity Law I have shared a brief history of cybersecurity law, discussed the application of law to cybersecurity civil and criminal offenses, and now it is time to look toward the future. As a manager involved with the protection of your organization’s information, you will need the optics to peer around the corner to see what’s ahead in the areas of cybersecurity and privacy. In this chapter, I explore what I believe are the regulatory and technological developments and the global cybersecurity legislative momentum that will shape the future of cybersecurity law. This chapter will help you to: • Understand the impact of emerging legislation on your cybersecurity program. • Recognize that technology advancements must be evaluated in the context of the law. • See how a trade pact may have a significant impact on how you conduct business globally. • Gain an appreciation for international cybersecurity legal frameworks. • Develop a global view on cybersecurity and data privacy.

5.1 Future of Cybersecurity Legislation The speed at which cybersecurity legislation is evolving requires you to have an eye toward the future to gauge the impacts to your organization’s cybersecurity and privacy programs. The total number of laws of which you must stay abreast, as well as their many amendments, can cause a change control nightmare within your cybersecurity and privacy programs’ policies and practices. In addition, you need to determine how changes in technology will affect how your organization adheres to cybersecurity and privacy laws and regulations. Think about how a single technological change such as the cloud has changed your business model. If you look into the various laws throughout the world, you will see that countries have varied approaches to cyber sovereignty and digital rights. How your company uses information in one country may not be legal in another. The US and the UK have historically dominated cybersecurity law precedent; however, other countries are proving to be more nimble and adaptive when it comes to drafting cybersecurity and privacy legislation. I am often asked, “Which country has the best cybersecurity legal framework?” My answer for years has been Australia. My two principle reasons are 1) their country-wide application of uniform cybersecurity laws, and 2) integration with their Defense Signals Directorate, part of the Australian Department of Defense, for security and privacy practices guidance. Integration with their Defense Signals Directive is important because they publish comprehensive guides on cybersecurity controls and share extensive data on cyberattacks. In the US, we have many competing and overlapping laws, leading to a convoluted cybersecurity legal framework. The US Department of Defense tends to keep its valuable cybersecurity data private. This chapter is my opportunity to share my views on the future of cybersecurity law as well as to highlight international developments that I believe will shape the security and privacy legislative agenda for the future. 5.2 Impact of Technology on Cybersecurity Law Advances in technology have the potential to affect cybersecurity law more than any other driver. Some of the technologies you will need to evaluate in the context of cybersecurity law include: • Internet of Things (IoT). • Big data. • The cloud. You will need to look at your company’s technology roadmap and future vision to assess the impacts of privacy legislation and the application of cybersecurity. For example, if your marketing director tells you he or she is exploring the use of “algorithmic personality detection” for marketing or risk management, would you know if this initiative would break any privacy laws by searching customer social media feeds?

5.2.1 Legal Implications of the Internet of Things (IoT) If you have not already heard of the Internet of Things (IoT), trust me you will, and a lot. IoT is the expansion of interconnected devices from vehicles, smartphones, and manufacturing equipment to home appliances. It is the new infrastructure for the information society. Anything with an IP address can be connected, thus allowing device sensing and control from anywhere in the world. IoT will drive massive amounts of data that your company can analyze and make informed decisions on throughout the entire lifecycle of your products or services. Analysts at Gartner estimated that 6.4 billion devices would be connected worldwide in 2016 (Gartner, Inc., 2015). Imagine for a moment the significant impact that privacy legislation alone would have concerning information that is personally identifiable, gathered from homes, hospitals, and financial institutions. Let’s fast forward to 2020, when you live in a world where the ability exists for your car to connect automatically with law enforcement and insurance data clearinghouses. Your IoTenabled car sends speed and location information from your odometer sensor to a central law enforcement database that connects to your local police department to issue you a speeding ticket each time you are detected speeding. And yes, a ticket would show up on your smartphone. What are the privacy implications of that scenario? Another scenario on a positive note would be one in which you pay your car insurance on an insure-as-you-go basis. Here, the insurance company receives information about your driving infractions, where you park, where you drive, as well as how many miles you drive. The insurance company applies risk scoring to every aspect of your driving habit, and your monthly insurance bill is computed based on a usage. For example, if your car is parked most of a month, your risk of an accident is lower than if you spent the majority of the time driving on an interstate highway. These examples and many other advancements leveraging IoT are coming, with the potential result of a substantial impact on cybersecurity law as well as your life. 5.2.2 Legal Implications of Big Data Big data is large amounts of differently structured data acquired from many sources and deposited in a huge central repository for analysis. The legal aspect enters when many pieces of disparate data, each with its privacy requirements, are commingled into a single location. Big data permits grocery stores to know how to send you the right coupons because large amounts of data about your digital persona are stored and shared among many companies. Concerns about the legal implications of big data caused the US Department of Justice (DOJ) to publish Big Data: Seizing Opportunities, Preserving Values, a study that looked at big data and the law. The study looked at how big data could help law enforcement, but also considered how big data could be abused. The study’s cover letter to the president states “...big data analytics have the

potential to eclipse longstanding civil rights protections in how personal information is used ….” (Podesta, Pritzker, Moniz, Holdren, & Zients, 2014). The US DOJ’s concern is not unfounded. We leave a digital footprint of just about everything we do. Big data sensors and collectors exist virtually everywhere, capturing our digital trail, tracking all our encounters and interactions in life to create a 360-degree view of who we are. If your company uses big data, you will need to ensure that the privacy of that information is protected. If you recall from Chapter 3, I discussed the identifiers of data that, if revealed, can be used to compromise personally identifiable information (PII) and protected health information (PHI). Big data makes this more complicated because instead of having, for example, the standard 18 PHI identifiers, you now could have hundreds from many different sources to protect. Some privacy considerations that you should think about with respect to big data include: Are you capturing private information about foreign nationals? Are you violating any amendment rights because of your collection of big data? Are you anonymizing big data to preserve individual privacy? The questions regarding big data privacy are endless. TIP: When many data sets from multiple sources, each with their individualized privacy requirements, are comingled as big data, the easiest way to implement privacy controls is to provide the highest level of identifier protection to all of the big data.

5.2.3 Legal Implications of the Cloud The cloud is hardly a new technology; however, advancements in cloud technology are causing concern over data privacy. You may be hosting customer data or your own company’s data in the cloud, but do you know where that data goes? Is cloud data bursting (sent to other locations to meet capacity demand) to countries that have stricter data privacy laws than those to which your data is presently designed to adhere? Is your data hosted in a country that restricts the personal identifiers you are allowed to maintain? These and many other questions must be asked to ensure your cloud computing is not breaking any privacy laws. Balance the economic benefits and processing efficiencies the cloud provides with the law. The contracts for cloud computing that you sign or have your customers sign must outline clearly the legal protection and responsibilities of each party. You will need to ensure that data governance, privacy, security, and access policies conform to each law of the state or country through which that cloud data may pass or reside. Do you know your legal rights specified in the cloud computing contracts you signed? If you host and process data for internal or external customers, you should have a set of recommended customer controls they should deploy to participate in the security and privacy of their data. These controls could be as simple as a policy to keep their access passwords secure or as sophisticated as pre-scanning their data for malware before uploading to your site.

5.2.4 Legal Implications of Security Testing Could you be breaking the law by performing security testing? You just may be if you are not doing it properly. Large organizations have security testing labs where they deconstruct software looking for weaknesses. The problem is that virtually all software is copyrighted and covered by the Digital Millennium Copyright Act (DMCA). I became keenly aware of DMCA’s Section 1201 when developing a large “red team” penetration testing program for a Fortune 500 company. The red team was staffed with expert penetration testers who assumed a fictitious role of a hacker attempting to break into the client’s network and applications. I found that requesting an exemption under DCMA would take too long, destroying the project’s timeline. I went to an alternate plan in which a DCMA violation assessment was performed on copyrighted software products that could cause us to violate the DCMA with our security testing. For those products, we sought consent from the software product owners. This was the right course of action because it was illegal for security researchers to unlock copyrighted software or otherwise circumvent the product’s security measures without the consent of the author or licensor of the software. In late 2014, I heard from some security researcher friends that a movement had begun to attempt to change the language of section 1201. Wondering if anything came from their efforts, I examined the section 1201 rulemaking document recently. I read in this report that many security researchers and academics lobbied the US Department of Commerce to amend section 1201, removing the language making it illegal to perform security testing and search for vulnerabilities. Their efforts paid off because, as of October 28, 2016, the DCMA includes a two-year exemption, or more importantly two years of legal protections, for good-faith security testing, reverse engineering, encryption development, and security testing. This is another example of how the law permeates many aspects of your company’s technology and security operations. I recommend providing your security research or applications development team with a copy of this exemption to review what changes if any they need to make to ensure compliance with the DCMA. If you want to read up on all the changes as I did, you can go to the US Copyright Office website at http://www.copyright.gov/title17/92chap12.html. 5.3 Future US Cybersecurity Legislation Cybersecurity begins at home, which is exactly where I will start. US cybersecurity and privacy legislation is robust, albeit confusing. And, it is about to get even more confusing in light of the over one dozen new pieces of cybersecurity legislation still pending on Capitol Hill. No one knows which of these will become law, but one thing is for sure: it is in your best interest to know what these bills entail so that you can monitor those most applicable to your organization. I also see no end to new cybersecurity and privacy laws, despite the campaign promises of candidates for political offices promising that they will eliminate government regulations. In my opinion and based on recent and pending cybersecurity legislation, this is an area of regulation

that is likely to increase. As of this writing the following are active cybersecurity bills worth keeping an eye on with the summary text provided by the respective bill’s sponsors: • H.R.1560 – Protecting Cyber Networks Act: Amends the National Security Act of 1947 to require the Director of National Intelligence (DNI) to develop and promulgate procedures to promote: the timely sharing of classified and declassified cyber threat indicators in possession of the federal government with private entities, non-federal government agencies, or state, tribal, or local governments; and the sharing of imminent or ongoing cybersecurity threats with such entities to prevent or mitigate adverse impacts. • H.R.1731 – National Cybersecurity Protection Advancement Act of 2015: Allows DHS to include national cybersecurity and communications integration center (NCCIC) to include tribal governments, information sharing and analysis centers, and private entities among its non-federal representatives. • H.R.3664 – Promoting Good Cyber Hygiene Act of 2015: Requires the National Institute of Standards and Technology (NIST) to establish for the federal government, the private sector, and any individual or organization a list of voluntary best practices for effective and usable cyber hygiene to help protect information systems or devices against cybersecurity threats that include unauthorized access, alteration of information or code running on such systems or devices, and unauthorized denials of service. • H.R.3873 – International Cyber Policy Oversight Act of 2015: Directs the Department of State to produce a comprehensive strategy, with a classified annex if necessary, relating to US international cyberspace policy, and publicly release such strategy. • H.R.3878 – Strengthening Cybersecurity Information Sharing and Coordination in Our Ports Act of 2015: Requires DHS to implement, and evaluate at least every two years, a maritime cybersecurity risk assessment model to evaluate current and future cybersecurity risks. The model must be consistent with the National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity and any updates under the Cybersecurity Enhancement Act of 2014. • H.R.5069 – Cybersecurity Systems and Risks Reporting Act: Amends the SarbanesOxley Act of 2002 to apply to cybersecurity systems and cybersecurity systems officers the same requirements regarding corporate responsibility for financial reports and management's assessments of internal control structures and procedures for financial reporting as apply to public companies subject to oversight by the Securities and Exchange Commission (SEC). • H.R.5390 – Cybersecurity and Infrastructure Protection Agency Act of 2016: Redesignates the Department of Homeland Security’s (DHS’s) National Protection and Programs Directorate as the Cybersecurity and Infrastructure Protection Agency (CIPA). Requires CIPA to perform critical infrastructure risk assessments to determine the risks posed by particular types of terrorist attacks within the United States, and recommend measures necessary to protect critical infrastructure in coordination with other federal entities and cooperation with nonfederal entities.

• •

•

•

•

•

H.R.6032 – Data Breach Insurance Act: Provides IRS credits for the purchase of data breach insurance. H.R.6066 – Cybersecurity Responsibility and Accountability Act of 2016: Requires the designation of a senior agency information security officer. Grants more authority to the Director of NIST to publish a cybersecurity framework, conduct research, and perform an annual independent evaluation of cybersecurity programs and major cybersecurity incidents. S.2007 – Federal Cybersecurity Workforce Assessment Act: Requires federal agencies to: identify all personnel positions that require the performance of information technology, cybersecurity, or other cyber-related functions and align to the National Initiative for Cybersecurity Education's National Cybersecurity Workforce Framework. S.2764 – Cyber AIR Act: Requires domestic or foreign air carriers and manufacturers of aircraft or electronic control, communications, maintenance, or ground support systems for aircraft to disclose to the Federal Aviation Administration (FAA) any attempted or successful cyberattack against any system on board an aircraft or against any maintenance or ground support system for aircraft. S.3024 – Small Business Cyber Security Improvements Act of 2016: Authorizes the Small Business Administration (SBA) to make grants to small business development centers (SBDCs) in furtherance of an SBDC Cyber Strategy to be developed by the SBA and the Department of Homeland Security (DHS). S.3295 – National Cybersecurity Preparedness Consortium Act of 2016: Provides for cybersecurity training to state and local cyberattack first responders. Promote cross-sector cyberattack simulations.

In addition to these bills, dozens of amendments have been proposed to existing laws. As you can see, laws exist and are being proposed for virtually every type of company or government organization relating to cybersecurity. The reality is not many of these bills will eventually become law. I also expect some of these laws to converge as they make their way through the legislative vetting process. 5.4 US Foreign Policy on Cybersecurity You may not have thought about the US having a foreign policy on cybersecurity, but we do. Our economic health and prosperity depend on our global trade, and one of the top economic enablers is a secure cyberspace to conduct commerce. Just as your company may be financially impacted from a cyberattack, our economy can be significantly harmed if a nation-state were to launch a cyberattack against our critical financial infrastructure. This requires that our nation have a foreign policy on cybersecurity just as we have a foreign policy on terrorists. The five components of the US government’s cybersecurity foreign policy of which you should be aware are:

1. Secure US Critical Infrastructure – ensure the infrastructure that the US economy relies on is free of foreign cyber attacks. 2. Sense and Identify Cyber Threats – maintain the ability to identify and respond to foreign cyber attacks. 3. Build International Cybersecurity Partnerships – work with the nations of the world to ensure a secure Internet. 4. Secure US Government Networks – set clear security protect targets and hold agency heads accountable. 5. Build a Self-reliant and Capable Cybersecurity Workforce – work with the private sector to attract, train, and retain a top cybersecurity workforce. You may have the impression that these components are not very comprehensive, and you would be right, except when you put them in the context of goals. The US government’s foreign policies are meant to serve only as goals supported by Presidential Orders and Directives. Table 5-1 provides a summary of the Presidential Orders and Directives that support our nation’s cybersecurity foreign policy. Table 5-1. Presidential Orders and Directives Year Directive or Order Subject 2014 2013

Presidential Policy Directive 28 (PPD-28) Executive Order 13636

2013

Presidential Policy Directive 21 (PPD-21)

2011

Executive Order 13587

2009

President directed a 60-day, comprehensive, “clean-slate” review Policy Review

2009

Protection of Signals Intelligence Activities to reduce the potential of disclosure. Improving Critical Infrastructure Cybersecurity to reduce cyber intrusions. Critical Infrastructure Security and Resilience to strengthen and maintain secure, functioning, and resilient critical infrastructure. Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information to ensure national security. Cyberspace Policy Review of security related policies and directives to validate their relevancy. Cyberspace Policy Review of documents included in clean-slate review.

To see how some or all of these orders and directives support the US foreign policy on cybersecurity, I recommend you review the White House site at https://www.whitehouse.gov/issues/foreign-policy/cybersecurity.

5.5 National Association of Insurance Commissioners (NAIC) Model Cybersecurity Law The insurance industry has been inexorably linked to cybersecurity law for some time now. Many companies carry some form of data breach insurance, subsequently placing insurance companies in the position of paying for these breaches. You may recall cyber liability policies from previous chapters. In Chapter 6, I cover these types of policies in more detail. To show leadership for their insured, the National Association of Insurance Commissioners (NAIC) is working to adopt a model law where licensed insurance companies are held to the highest standards and practices of protecting information. I have followed the development of this model law as several of my clients are insurance companies. What I found interesting is that this law, which was initially positioned as the exclusive standard for data security and breach investigation for insurance companies, has now become fairly bland. In my review of the latest model draft, I noticed a substantial softening of the previous hard stand on required controls and enforcement. I suspect a lot of the changes resulted from lobbying by state insurance commissioners, who charter insurance companies to operate in their states. Their concerns likely involved how the model law could conflict with existing state safety and soundness requirements as well as duplication with state data breach laws. They likely already feel they are overregulated when it comes to cybersecurity. I originally saw this model law as a harbinger to insurance companies requiring their policyholders to comply with the model law to obtain cyber risk insurance. Based on the number of lawsuits between insurance companies and cyber liability policyholders, this model law could have served as a baseline of minimum cybersecurity standards on which to base policy underwriting decisions. I always felt that the NAIC hoped to remove the confusion regarding the proper standard of care to protect personal information reducing insurer- policyholder lawsuits. The Insurance Data Security Model Law was open to comments through September 2016, and its ratification is expected before the end of 2016 or early 2017 (National Association of Insurance Commissioners, 2016). If you are in the insurance industry, you may find it helpful to review my summary of the model law: • The model law does not supersede any state data breach laws; however, the law that affords the most consumer protection is to be followed. This represents a compromise from the exclusive standard originally proposed. • Licensees have the exclusive right to oversee the cybersecurity capability of their third party service providers and will be responsible for any third party failures to protect personal information. This is the strongest provision of the model law. • Originally, the model law specifically required licensees follow NIST security standards; however, it has changed to accepted cybersecurity programs.

•

•

Originally licensees would have been required to participate in an Information Sharing and Analysis Center (ISAC); this has now been changed to accepted cybersecurity principles to share information. The draft removes much of the enforcement provisions including judicial review, monetary penalties, and cease and desist orders. This removal is likely due to duplication with numerous state data privacy laws.

If you work for an insurance company, you will have yet another law with which to comply. However, you will now also have the challenge of mapping this law with each of the states where your company operates to know which portion of the model law applies in comparison to each state’s data protection laws. 5.6 Harmonization of International Cybersecurity Laws The global economy relies on free trade to fuel economic growth ensuring the world has continued financial health. Many of the world’s largest economies are inexorably linked to the point that when countries like China or Greece have a financial hiccup, the world’s financial markets reel sending a seismic economic shiver throughout the financial world. What would happen to the global financial markets if a cyberattack were launched against the world’s financial infrastructure? The results could very well cause their own economic seismic shock. Cooperation between trade countries in the area of cybersecurity to reduce the risk of such an attack is an economic security imperative. What is revealed by the hundreds of cybersecurity, privacy, and data protection laws enacted worldwide is that countries differ significantly on what and how data should be protected. These differences must be reduced through the harmonization of cybersecurity legislation. Not only will this harmonization enable free trade, but it will also ensure the security of trade activity. 5.6.1 Cybersecurity Law and Trade Pacts To promote this trade, countries negotiate trade pacts to facilitate and balance trade between economic zones or specific countries. The world economy has evolved into two factions: • Those that manufacture goods. • Those that are information-based and produce services. Connecting these two factions is information technology; acknowledgment of this can be found in virtually every trade pact ratified in the past 20 years. Trade cannot occur without electronic payments, sophisticated applications, and the protection of intellectual capital. With shared customers, multi-country manufactured goods, and cloud-based services, the global economy has placed the world’s goods and services on the doorstep of Main Street. And the enabler to all this is and will continue to be cybersecurity law.

To underscore the importance of cybersecurity to the US let’s look a little closer at economic data. According to the US Department of Commerce, 81 industries out of the 313 tracked are intellectual property (IP) driven, generating over 27 million jobs. These IP-driven industries generate $6.6 billion or 38.2 percent of the US gross domestic product (GDP) (Antonipillai & Lee, 2016). For this number to grow, the US will need to expand trade pacts, subsequently requiring cybersecurity to enable IP-driven growth. 5.6.2 Harmonization of Cybersecurity and Privacy Law However, without the harmonization of these laws, the globally economy risks turning into a factional economy where only those countries who can agree on shared ideals of protecting information will trade. Harmonization of cybersecurity and privacy law is not only inevitable but tantamount to a healthy global economy. Harmonization of laws is the process of aligning and rectifying legislative disparities so that countries can trade goods and services on an even basis knowing that information exchanged is equally protected and that the integrity of their IP is maintained. What this means for cybersecurity at the very least is that computer security terminology must be normalized as well as the definitions of privacy. We need to begin at least by speaking the same language. In the extreme, agreements must be made on how to globally enforce cybersecurity legislation with supporting global rules of procedure for criminal and civil cases. One of the impediments that I can see to normalizing personal privacy attributes is human rights protections. Countries such as China, Pakistan, and others use cybersecurity laws to prevent freedom of speech and invade personal privacy rights to further carry out their governments’ oppressive control. With the issue of human rights and confidentiality looming, the US, as well as other democratic countries, will find it difficult to enter into unilateral cybersecurity and privacy laws or agreements. 5.7 Trans-Pacific Partnership (TPP) Cybersecurity Framework After hearing for the better part of a year about the 12-nation Trans-Pacific Partnership (TPP) that was finalized in February 2016, I was eager to download a copy of the agreement to see how cybersecurity was treated. Chapter 14, Electronic Commerce, was exactly what I was looking for – an entire section dedicated to cybersecurity. After reading this chapter, I can provide you with a glimpse into the future of cybersecurity agreements. I was pleasantly surprised to see a uniform definition of personal information. Within TPP, “personal information means any information, including data, about an identified or identifiable natural person” (Trans-Pacific Partnership, 2016, Article 14.1). As previously discussed concerning the harmonization of cybersecurity laws, arriving at a cybersecurity language framework will be crucial to achieving a global framework on

cybersecurity law. TPP offers the first step where the following 12 nations have aligned on a definition of personal information: Australia, Brunei, Canada, Chile, Japan, Malaysia, Mexico, New Zealand, Peru, Singapore, US, and Vietnam. If your company does business with any of these countries, I recommend you read Chapter 14, Electronic Commerce, to see how TPP may impact how you approach cybersecurity with any of your trading partners or customers. Chapter 14 of this agreement contains articles which I believe have the potential to shape the future of international cybersecurity and privacy law harmonization. Below is the exact text (and my own paraphrasing and summaries) from the TPP relating to the cybersecurity articles along with my forecast of impact: • Article 14.5: Domestic Electronic Transactions Framework – Requires each party maintain a legal framework governing electronic transactions consistent with the principles of the United Nations Commission on International Trade Law (UNCITRAL) Model Law on Electronic Commerce (United Nations, 1999), or the United Nations Convention on the Use of Electronic Communications in International Contracts (United Nations, 2007). My prediction is that what we will likely see here is a formalization of security frameworks backed by the force of law by each of the parties relating to: o The legal value of computer records. o Stringent standards for protecting computer records. o Certifying and preserving computer records. o Message authentication. o Technical security devices. o Non-repudiation of messaging. Forecast: Participating countries will adopt a unified security framework based on some portions of the UNCITRAL model. The security framework will require modernization to reflect current and future technologies. Ratifying countries will enforce the provisions of TPP and the security framework through their respective laws and regulations. • Article 14.6: Electronic Authentication and Electronic Signatures – Requires that each party accepts digital signatures in the same manner as physical signatures and prevents parties from requiring a judicial review of signatures to prove authenticity. Forecast: Will create the need to adopt a digital signature standard (DSS) and uniform legal ratification of national jurisdictions. A reasonable standard could be adopted by the US with our FIPS PUB 186-4, Federal Information Processing Standards Publication – Digital Signature Standard (DSS). Software companies will create a DSS platform supporting language and character localization of digital signatures. • Article 14.8: Personal Information Protection – Requires each party adopt or maintain a legal framework that provides for the protection of personal information leveraging

•

•

•

•

privacy guidelines from relevant international bodies. The legal aspects of privacy will be further enunciated by: o Adopting practices to protect individuals from privacy violations. o Prescribing how individuals can pursue privacy violation remedies. o Publishing how business can comply with any legal requirement. o Promoting compatibility between privacy legislation. Forecast: Will bring forth the identification and ratification of one or two internationally accepted privacy frameworks to form safe harbor provisions for companies following and abiding by the Safe Harbor provision. The likely candidate for this framework is the Organisation for Economic Co-operation and Development (OECD) (2013) Privacy Framework based on the fact that seven of the largest TPP countries are currently OECD members (Organisation for Economic Co-operation and Development, 2016). Article 14.11: Cross-Border Transfer of Information by Electronic Means – Requires parties to allow the cross-border transfer of personal information. Forecast: Will foster an agreement or pact backed by the force of individual national laws for the adoption of uniform privacy preserving measures for data-in-transit, data-atrest, and data residing in the cloud. Article 14.14: Unsolicited Commercial Electronic Messages – Requires parties to maintain measures to restrict and limit unwanted electronic messages such as the type in spam. Recourse will be available to parties initiating the unwanted electronic messages. Forecast: Adoption of a Trans-Pacific spam law based on a uniform framework implemented by each nation’s Internet service providers and telecommunication providers. The law would contain a standard definition of offenses and consistent penalties and memoranda of extradition. Article 14.15: Cooperation – Requires companies to cooperate and share experiences in personal information protection, regulation, consumer protection, security, authentication, and other related matters. Forecast: Lays the groundwork for the creation of a Trans-Pacific Information Sharing and Analysis Center (ISAC) deployed within one of the 12 nations and staffed with multi-nation cybersecurity and privacy experts. Article 14.16: Cooperation on Cybersecurity Matters – Requires parties to establish national incident response and malware detection and alert capabilities to address cybersecurity and cyberattack events. Forecast: Lays the groundwork for the formation of a Trans-Pacific computer emergency response team (CERT). The CERT would maintain a malware lab to investigate and create mitigation capabilities for zero-day vulnerabilities.

The TPP will provide an unprecedented opportunity to draft a pact or series of cybersecurity agreements that may very well usher in the age of global cybersecurity law harmonization.

TIP: Evaluate the TPP in relation to the countries where your organization conducts business. Flag the laws of those countries for legal alerts to gain insight whether the TPP will influence their legal provisions.

5.8 Aligning the Law of the Sea to Cybersecurity Law The concept of the Law of the Sea has been around since 1958, and after many iterations, a formal convention, the United Nations Convention on the Law of the Sea (UNCLOS) was drafted and open for signing in 1982, going into force in 1994. To date, over 100 nations have signed the Convention (United Nations, 1982). Most of us who have ever watched television news have heard about countries having the right to claim, as sovereign, territory 12 nautical miles off their coast. Second to this is another 200 nautical miles that can be classified as an economic zone – think fishing, mining, and recreation. Between all of that is the high seas where pirates exist. The high seas have often been compared to cyberspace, and it is what can happen on the high seas in light of the Law of the Sea that has often been compared to cybersecurity law. In UNCLOS, each country can apply their interpretation to passage on the high seas and how they defend themselves and others. There is a growing argument that cyberspace can be treated the same way as the high seas and that countries have the right to defend themselves against cyberattack. The United Nations (UN) Division for Ocean Affairs and the Law of the Sea is a good source for more information: (http://www.un.org/Depts/los/convention_agreements/convention_overview_convention.htm). In 2009, the US Coast Guard and the Department of Homeland Security jointly issued a Port Security Advisory entitled Guidance on Self-Defense or Defense of Other by US Flagged Commercial Vessels Operating on the High-Risk Waters. The advisory states that use of lethal force is permitted in self-defense or to defend others when you believe an imminent danger of death or great bodily harm exists; non-deadly use of force is permitted in self-defense or defense of others as well as in defense of the vessel and its cargo from theft or damage; and concerning the protection of property, force may only be used to defend the vessel and its cargo when authorized by the vessel’s master (US Department of Homeland Security, 2009). Some legal scholars and cybersecurity experts are making the point that governments and businesses have the right to defend themselves against a cyberattack using the principles of the UNCLOS. In fact, the US and UK have already made public declarations that under certain conditions they may retaliate against a cyberattack. Applying provisions of UNCLOS to businesses under cyberattack may provide the legal basis to enable companies with the resources to protect themselves when under cyberattack. I believe that there will soon be a precedent case where a US company fights back while under cyberattack. The FBI already suspects private companies of hiring security companies to retaliate against those who attack first. In 2013, JPMorgan Chase came under the FBI’s scrutiny when coincidently it was reported that hackers took down the same Iranian servers that were purportedly used to attack the bank’s infrastructure

– an action for which the company is said to have advocated in a meeting with the US government in 2013 (Mott, 2014). 5.9 Cybersecurity Law in Outer Space In case you are chuckling at this topic, hold your laughter until I tell you that now you can receive a one-of-its-kind Master of Laws (LL.M.) degree from the University of Nebraska in space, cyber, and telecommunications law. If you are still chuckling, consider that in 2008 cosmonauts on the International Space Station discovered a virus (W32.Gammima.AG) that shot up to the space station on a Russian laptop (Powell, 2008). Most of us probably don’t think much about cybersecurity law in space, but it could become a problem, especially in light of the growth in private space commerce. Think for a moment about what is floating around in space – technology, satellites, rockets, vehicles, space stations, and other space-based systems. Each of the countries which sends its astronauts to the space station brings its own technology. What would happen (again) if any one of those computers was infected with a zero-day vulnerability? A zero-day vulnerability is a computer vulnerability that is not known in advance. Much of the world’s air and maritime transportation, weather data, military communications, and financial communications rely on space technology. Imagine the consequences of a cyberattack against a satellite. Well, you won’t have to imagine it, since this has actually happened, in 2014, when US satellites fell victim to a major Chinese cyberattack (Johnson, 2014). No shortage of threat vectors exists when you consider the over 1,200 satellites circling space from 60 different countries (Meyer, 2016). The basis for any cybersecurity law applying to space would likely need to be forged on the 1967 Treaty on Principles Governing the Activities of States in the Exploration and Use of Outer Space, Including the Moon and Other Celestial Bodies. After reading this treaty, I believe the following articles provide the best basis for cybersecurity law in space: • Article III: This section specifically calls out the rule of international law and acting in the interest of security. • Article IV: Parties to the treaty will not place any weapons into orbit. This can easily be interpreted as cyberattack weapons. • Article V: Any phenomena discovered in outer space that constitute a danger will be reported. This can be interpreted as cyberattacks or cybercrime. The article also mentions rendering all possible assistance to astronauts. One could conclude this may apply to a space-based CERT. • Article VII: This article calls for international liability for damage to another state party. This language mirrors language in cybersecurity legal recourse laws. • Article VII: In one of the clearer points of responsibility law, the article states that whoever launched the personnel into space has jurisdiction over them.

•

•

Article IX: The concept of harmful interference is described here, and that consultation or other form of intervention may be required. This could be construed as nations not releasing malware, willfully or unwittingly, on other nations’ equipment. Article XII: In this article provisions are discussed taking maximum precautions to avoid interference with normal operations. This could very well apply to the adoption of a security controls framework for space station equipment.

I believe that various provisions of the UNCLOS could be applicable in addressing cybersecurity law in outer space. In the event that outer space is used for cyber warfare, the Tallinn Manual, discussed further in the next section, addresses that scenario. Specifically, Rule 3 of the Tallinn Manual states that cyberinfrastructure in outer space is subject to the jurisdiction of the flag state or the flag of registration. Similar to a ship’s registry, a spaceship’s registry allows the vessel to assume the nationality of the country registered, inheriting its laws. 5.10 The Law of Armed Conflict in Cyberwar Armed conflict has already occurred as evidenced by the crippling hacking attacks against Estonia in 2007 and Georgia in 2008 during their war with the Russian Federation. Another example is the 2010 cyberattack by the US against Iran’s nuclear facilities with the Stuxnet worm (Sanger, 2012). I remember these incidents as if they were yesterday from my involvement with some European and utility customers that used these examples as risk simulations. Article 51 of the UN Charter, the provision for a country to use self-defense including the use of force, applies in the event a cyberattack reached the level of an armed attack. Organizations such as the UN and NATO consider an attack as reaching the level of armed attack when a cyber attack is launched against a country’s critical infrastructure. Under an armed conflict law in cyberspace, nations could conduct offensive cyberattacks against aggressor states that have attacked them. The concept of this proposed law includes provisions to prohibit attacks against critical infrastructure or civilian targets. In 2013, the Tallinn Manual on the International Law Applicable to Cyber Warfare was published, which reflected the opinions of 20 noted experts on the question of cyber warfare. The Tallinn Manual was written over the period of 2009 to 2012 at the invitation of NATO Cooperative Cyber Defense Centre of Excellence. Version 2.0 of the manual is set to publish in late 2016. These experts unilaterally agreed that the law of armed conflict applies directly to cyber warfare and in fact, conventional laws of the battlefield wholly apply. Within the manual, Rule 30 defines a cyberattack as a “cyber operation, whether offensive or defensive, that is reasonably expected to cause injury or death to persons or damage or destruction to objects” (Schmitt, 2013). The manual has 95 rules of cyberwar covering such areas as: • Participation in armed conflict. • Conduct of hostilities. • Means and methods of warfare.

• • • • •

Conduct of attacks. Blockades. Detained persons. Occupation. Neutrality.

It is my opinion that, in the US, just as the Naval War College and the National War College have introduced some aspects of cyberwar training, there may soon be a dedicated Cyberwar College to train civilians and military personnel in the art of cyberwar. This will likely be accelerated once the US foreign policy is determined on the issue of cyberwarfare. 5.11 North Atlanta Treaty Organization (NATO) Cyberlaw Stance In 2016, NATO recognized cyberspace in the same manner as it does land, sea, and air, and has affirmed that international law applies in cyberspace (Lin, 2016). I believe that shortly we will see NATO military resources coming to the aid of treaty countries to defend their sovereign cyberinfrastructure in the same manner they would in repelling a foreign aggressor from attacking a treaty member’s homeland. Further expanding this commitment to protect cyberspace is NATO’s signed Technical Arrangement on cyber defense cooperation with the European Union in February 2016. NATO is also intensifying its cooperation with industry, via the NATO Industry Cyber Partnership. NATO has emphasized cyber defense as part of its mission within legal principles and the rule of law. I believe it will be difficult for NATO to do much in the area of cybersecurity attack intervention because it must adhere to a complicated legal environment comprised of national law, transnational law, European Union law, and international law. To be successful, NATO will need to create a cyberwar legal framework that harmonizes these disparate laws. 5.12 United Nations – Universal Cybersecurity Legal Framework The UN has been actively involved in drafting a legal framework for cybersecurity since 2004. Its efforts began with the formation of four groups of government experts (GGEs) whose members examined the threats and vulnerabilities to operating in cyberspace and offered cooperative measures that nations could adopt. Since then, GGEs have assembled to refine the original cooperative measures. The resulting efforts of the most current GGE report is UN Resolution 70/237: Developments in the field of information and telecommunications in the context of international security, which calls on member nations to adopt the recommendations of the report. The next GGE panel is scheduled for a 2016-2017 term to update the 2015 report. The 2015 report reflects the input from 20 diverse nations including Egypt, Japan, Pakistan, Russia, and the US. The goal of this report, as in past GGE reports, is to promote open, secure, stable, accessible, and peaceful information communications technologies (ICT) throughout the

world. The report acknowledges that some member states are building ICT military capabilities and that it is only a matter of time before armed cyber conflict erupts. A very real concern is voiced over the cyber destruction of critical infrastructure and terrorist and criminal use of ICT. Table 5-2 highlights some of the most interesting aspects of the report that I believe will guide the evolution of cybersecurity law on a global basis. Table 5-2. Important UN Legal Framework Sections No. Framework Overview Topic II. Existing and Acknowledges a disturbing increase in the following: incidents emerging threats involving the malicious use of ICTs, states developing ICT capabilities for military purposes, most harmful attacks directed at critical infrastructure, terrorist attacks against ICTs, the diversity of malicious non-state actors attacking ICT, and an imbalance of cyberwarfare among states. III. Norms, rules and Develop responsible behavior among states consistent with principles for the international law, restrict harboring of cyber terrorists, improve responsible protections to critical infrastructure, and improve the security of behavior of states supply chain to ensure the security of global trade. IV. ConfidenceDevelop cross-nation capabilities to build strong ICT threat sharing building measure and incident response capabilities. Create a repository of nation laws and adopt a category scale to rate ICT incidents. Establish national CERT, develop national cybercrime investigation capabilities, and leverage the UN for cross-nation adoption of cybersecurity laws and capabilities. V. International Build capacities commensurate with nation-state threats, assist cooperation and developing countries in the creation and support of their ICT assistance in ICT protection programs, and build partnerships among nations to security and support mutual assistance. capability building The majority of the report focuses on the norms, rules, and principles for responsible cyber behavior. Although these are non-binding, they do tend to set in motion the groundwork for future treaties. Also, they can form the legal framework of the universal laws, which should apply to cyberspace. I believe that the weight of this legal framework comes from the fact that five permanent members of the UN Security Council participated in the report. One critical aspect of the report and subsequent adoption by Resolution 70/237 is the limiting of the legitimacy of state actions purposely breaching the intellectual property of companies or the personal information of individuals. I do not expect until the 2018-2019 working group convenes that legal experts and GGEs will come together to create the resource language necessary to sanction nations who enter into armed cyber conflict or invade the cyber sovereignty of member nations. More detail about the GGE report and UN Resolution is at the UN website http://www.un.org/ga/search/view_doc.asp?symbol=A/70/174.

5.13 International Treaties on Cybersecurity One of the more lackluster – even naïve – attempts I have seen in my years as a cybersecurity expert has been the creation of cybersecurity treaties or cooperation agreements. I have commonly referred to these type of agreements as “security theater.” In a belief that they can stave off cyberattacks, nations create treaties that they hope will eliminate attack vectors from a potentially hostile country. As a common theme to the contents of these treaties, I have seen that the governments promise: • Not to attack one another. • To control bad actors or hackers operating on their territory. • To cooperate in pursuing cyber criminals. • To jointly execute incident response processes when bilateral cyberattacks occur. I have gathered a list of such treaties currently in effect. Unfortunately, I have yet to see any evidence that the following treaties have stopped a single denial of service or hacker attack: • African Union Convention on Cyber Security and Personal Data Protection – A 2015 treaty specifying the protection of electronic transactions, personal data protection, promotion of cybersecurity, and combating cybercrime. Of the 54 countries that may participate in this cybersecurity treaty, only eight have signed. • ANZUS Treaty – In 2011, the governments of the US and Australia amended a 60-yearold treaty to include cooperation in the protection of cyberspace. Adding cybersecurity was an obligatory addition to garnering positive press for both countries in light of increased cyberattacks. • Budapest Convention on Cybercrime – A 2001 treaty covering 48 articles of privacy and cybercrime available for adoption by the member states of the Council of Europe. One of the few treaties that actually helped with its treatment of privacy as a basic right. • Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data – One of the first treaties of its kind, published in 1981 by the Council of Europe, this treaty has 13 Articles that specifically cover the protection of personal data, mutual aid, and data security. • Scientific and Technological Cooperation, Homeland/Civil Security Matters between the US and the Netherlands – Agreement to cooperate in science and technology in areas of civil security matters including cybersecurity, signed in 2012. This one is still a mystery to me. I have yet to see where a single outcome emanated from this agreement. • Russian and China Cyber Security Pact – Cyberspace nonaggression pact signed in 2015 and agreement to pool information, law enforcement, and technology resources to defend against any cyberattacks. This is one of the most secretive pacts as there is currently no published English version of the pact to review. Ironically, two of the world’s largest hacker communities agreed not to hack each other, but the pact does nothing to stop them from hacking others.

•

US and China Cyber Agreement – A 2015 agreement to not conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information with the intent of providing competitive advantages to companies or commercial sectors. The fact that China still attacks the US with great regularity since the signing of this agreement is proof enough for me that it has not worked.

I believe that treaties have more of a temporary “feel good” effect rather having any real impact on reducing cybercrime. For the most part, the treaties mentioned above have been widely viewed as unsuccessful with many drafting nations refusing to sign their respective treaty. For another reason, I attribute their poor success to the lack of the force of law and that they rely almost exclusively on mutual cooperation and voluntary efforts. 5.14 Brexit Impact on European Union Cybersecurity Law The United Kingdom (UK) referendum on July 23, 2016, which voted to let the UK withdraw from the European Union (EU), caused many of us angst as we watched our retirement portfolios take huge hits, and probably we were not thinking about its impact on cybersecurity law. But nonetheless, this initiative, called Britain Exiting or Brexit, may very well have an impact on the 40-plus years of computer security lawmaking in which the UK was involved. Understanding how Brexit affects the EU General Data Protection Regulation (GDPR) and Network & Information Security (NIS) Directive implementation over the next few years will be necessary if your company conducts business in EU countries. For now, I do not expect any impact to EU cybersecurity laws. The UK will have to decide whether to continue support of these directives or draft their own replacement legislation. I suspect that they will opt into these directives; however, I never thought they would opt out of the EU, so it is a 50/50 chance that anything could happen. I base this opinion mostly on the economics of dismissing these critical cybersecurity laws, as many of the businesses in the UK are already moving toward changing their approaches to cybersecurity to support GDPR and NIS. In fact, the UK has already widely adopted the 2000 Electronic Commerce Directive, the 1995 Data Protection Directive as well as the 2006 Data Retention Directive. Unraveling from 16 years of EU cybersecurity directives would be unfathomable. I further believe that the UK will not want to disenfranchise itself from the EU law enforcement and information security agencies such as Europol and the EU Agency for Network and Information Security (ENISA). The UK has been a vocal and financial supporter of the creation of the European Cybercrime Centre (EC3) within Europol since the beginning, which has become the center point for fighting cybercrime throughout Europe. The UK will, of course, need to negotiate their role in these organizations once untethered from the EU. I don’t envision their diminished involvement due mainly to their cybersecurity leadership and security

technology acumen. It is widely believed their leaving would negatively affect the EU’s ability to fight cybercrime. I do not see in the foreseeable future where the UK will take a cyber law isolationist approach to the EU. Thus, for the time being, you should continue with business as usual; however, keep an eye on future developments. TIP: Discuss with your legal department what exposures your organization may have resulting from Brexit. Estimate the impact of revising cybersecurity and policy practices. Prepare a plan of action in the event the legal framework changes how your company approaches information protection and privacy.

5.15 G7 Perspective on Cybercrime In October 2016, I read a news feed article that the G7, a group of the seven of the largest global economies (Canada, France, Germany, Italy, Japan, the UK, and the US, plus a European Union representative), announced a non-binding agreement with recommended elements to protect global financial institutions (Lange, 2016). Intrigued by the fact that the G7 would weigh in on cybersecurity, I retrieved the document from the US Department of the Treasury website to understand further what this actually means. What I learned is that there are eight elements to this agreement covering pretty much what you might expect from such a lofty organization. The elements include all the classic goals, such as promising to create a global cybersecurity framework, governing the framework, and encouraging risk assessments, and several other traditional categories of cybersecurity. (US Department of the Treasury, 2016). Table 5-3 presents the elements of the G7’s cybercrime agreement. Table 5-3. G7 Cybercrime Agreement Elements Element Topic Focus Element 1 Cybersecurity Strategy Create a strategy and framework to reduce cyber and Framework risks. Element 2 Governance Assign competent personnel and manage their effectiveness through accountability metrics. Element 3 Risk and Control Perform risk assessments of critical technology Assessment infrastructure. Element 4 Monitoring Detect cyberattacks and test effectiveness of controls. Element 5 Response Respond to cyberattacks. Element 6 Recovery Recover from cybersecurity attacks while continuing critical operations. Element 7 Information Sharing Share actionable cybersecurity threat information. Element 8 Continuous Learning Implement a process of continuous improvement for the framework. Only time will tell if the G7 member countries will rally around these agreed upon guidelines to set the global tone within the financial industry for improving cybersecurity for the world’s largest financial institutions.

Summary To be an effective manager in today’s world economy, you would be wise to acquire a global perspective on business, technology, and yes, even cybersecurity. It is time to adopt a world view on how information is protected as well as understand how US foreign policy and trade pacts could impact your organization’s approaches to cybersecurity and data privacy. In addition, you will want to be ahead of the technology curve when it comes to legislative drivers. In the next chapter, I will show you how to build your cybersecurity law program and how to select a cyber liability insurance policy as your contingency plan when all else fails.

References Antonipillai, J. & Lee, M. K. (2016, September). Intellectual property and the US economy:2016 update. (US Department of Commerce, Economics and Statistics Administration, and the US Patent and Trademark Office). Retrieved from https://www.commerce.gov/sites/commerce.gov/files/media/files/2016/ipandtheusecono mysept2016.pdf Gartner, Inc. (2015, November 10). Gartner says 6.4 billion connected "things" will be in use in 2016, up 30 percent from 2015 [Press release]. Retrieved from http://www.gartner.com/newsroom/id/3165317 Johnson, A. (2014, November 12). NOAA confirms cyberattack "in recent weeks." NBC News. Retrieved from http://www.nbcnews.com/news/us-news/noaa-confirms-cyberattackrecent-weeks-n247446 Lange, J. (2016, October 11). G7 sets common cyber-security guidelines for financial sector. Reuters. Retrieved from https://in.finance.yahoo.com/news/g7-sets-cyber-securityguidelines-financial-sector-152620366--sector.html Lin, H. (2016, June 15). NATO's designation of cyber as an operational domain of conflict. Retrieved from https://www.lawfareblog.com/natos-designation-cyber-operationaldomain-conflict Meyer, P. (2016). Outer space and cyber space: A tale of two security realms. In A. Osula & H. Rõigas (Eds.), International cyber norms: Legal, policy & industry perspectives (pp. 155169). Tallinn, Estonia: NATOCooperative Cyber Defense Centre of Excellence. Mott, N. (2014). The FBI thinks private companies may be retaliating against hackers with their own attacks. Retrieved from https://pando.com/2014/12/30/the-fbi-thinks-privatecompanies-may-be-retaliating-against-hackers-with-their-own-attacks/

National Association of Insurance Commissioners. (2016, August 17). Insurance data security model law. (Preliminary and working discussion draft). Retrieved from http://www.naic.org/documents/committees_ex_cybersecurity_tf_exposure_mod_draft_r edline.pdf Organisation for Economic Co-operation and Development. (2013). The OECD privacy framework. Retrieved from https://www.oecd.org/sti/ieconomy/oecd_privacy_framework.pdf Organisation for Economic Co-operation and Development. (2016). List of OECD member countries – Ratification of the convention on the OECD. Retrieved from http://www.oecd.org/about/membersandpartners/list-oecd-member-countries.htm Podesta, J., Pritzker, P., Moniz, E., Holdren, J., & Zients, J. (2014, May). Big data: Seizing opportunities, preserving values. (The White House, Executive Office of the President). Retrieved from https://www.whitehouse.gov/sites/default/files/docs/big_data_privacy_report_may_1_20 14.pdf Powell, D. (2008, August 29). Space station computer virus raises security concerns. New Scientist. Retrieved from https://www.newscientist.com/article/dn14628-space-stationcomputer-virus-raises-security-concerns/ Sanger, D. (2012, June 1). Obama order sped up wave of cyberattacks against Iran. The New York Times. Retrieved from http://www.nytimes.com/2012/06/01/world/middleeast/obama-ordered-wave-ofcyberattacks-against-iran.html?_r=2&pagewanted=2&seid=auto&smid=twnytimespolitics&pagewanted=all Schmitt, M. N. (Ed.). (2013) Tallinn manual on the international law applicable to cyber warfare. Cambridge, UK: Cambridge University Press. Retrieved from https://ccdcoe.org/research.html Trans-Pacific Partnership. (2016, February 4). Electronic Commerce. Retrieved from https://medium.com/the-trans-pacific-partnership/electroniccommerce-87766c98a068#.46ozgub21

United Nations. (1982). United Nations convention on the law of the sea. Retrieved from http://www.un.org/Depts/los/convention_agreements/convention_overview_convention.h tm United Nations. (1999). UNCIRAL model law on electronic commerce with guide to enactment. Retrieved from http://www.uncitral.org/pdf/english/texts/electcom/05-89450_Ebook.pdf United Nations. (2007). United Nations convention on the use of electronic communications in international contracts. Retrieved from http://www.uncitral.org/pdf/english/texts/electcom/06-57452_Ebook.pdf US Department of Homeland Security, US Coast Guard. (2009, June 18). Port security advisory (3-09): Guidance on self-defense or defense of others by US flagged commercial vessels operating in high-risk waters. Retrieved from https://www.marad.dot.gov/wpcontent/uploads/pdf/Port_Security_Advisory_3-09_Self_Defense.pdf US Department of the Treasury. (2016, October). G7 fundamental elements of cybersecurity for the financial sector. Retrieved from https://www.treasury.gov/resourcecenter/international/g7g20/Documents/G7%20Fundamental%20Elements%20Oct%202016.pdf

Chapter 6 Creating a Cybersecurity Law Program At this point, you may be wondering how to take what you have learned and turn it into something actionable. In this chapter, I compose previously discussed subjects into a model that you may use to create your own cybersecurity law program. The program has two parts: the first is a formal structure to handle criminal and civil actions against your organization; the second is cyber liability insurance to hedge the impact of any potential litigation. Think of this as a strategy comprised of frontline legal defenses with a backup plan (insurance) when all else fails. You will learn how to create your program using some actual examples that I have found to be effective when building similar programs. Consider this approach as a guide rather than a rigid architecture that must be followed. I encourage you to leverage your experience as well as those of others in your organization to create something that is fit for purpose to your requirements and legal risk profile. This chapter will help you to: • Design a cybersecurity law program. • Define the roles and responsibilities for the people who will staff your program. • Create policies and procedures to effectively define and operate your program. • Leverage technology to automate critical components of your program. • Understand the value of adding cyber liability insurance to your program.

6.1 Cybersecurity Law Program It is one thing to have a lot of knowledge about cybersecurity law, but it is another to harness that knowledge into something that is pragmatic and usable. One way to make knowledge actionable is to leverage it into a program. In this case, it is creating a cybersecurity law program for your organization. Think of the program as your plan to accomplish something within a specific structure. I will provide you with a framework and definition of resources to build your program. You will learn how to assign people to roles, create policies and procedures, and leverage technology to make your program successful. The program will provide you with the means to ensure your organization complies with the myriad of laws and regulations as well as abide by the rules of procedure in the event your company is sued. 6.1.1 Model A model is an abstract representation of the structure that describes the basic workings of something. In our case, it is a cybersecurity law program. The model is an illustration of the moving parts of the program. Think of your organization’s cybersecurity law program as a multidiscipline collaboration where employees from different departments work together under a cohesive structure. The model’s highest level of definition is components. These components represented by the gray boxes show the focus areas of the program. The next level of definition is subcomponents, represented by the blue boxes. Subcomponents are the resources necessary to carry out specific actions to support the goals of the components. For example, to adhere to data privacy law adequately, your organization must assign people in accordance with policies and procedures that instruct them how to leverage technology to efficiently complete their tasks. A common knowledgebase is also required to document the program and provide the same level of knowledge to all program participants. The model in Figure 6-1 shows that components and subcomponents continuously interact. If you have ever used models in the past, you may have found that having a picture of what the result looks like makes it much easier to build something. That is exactly the purpose of this model. Figure 6-1 is a conceptual model of a cybersecurity law program.

Cybersecurity Law

People

Cyber Liability

Data Privacy Law

Insurance Program Knowledgebase Technology

Policies

Procedures

Forensics Law

Cryptographic Law

Figure 6-1. Cybersecurity Law Program Model 6.1.1.1 Components Components can be added or subtracted from the model depending on emphasis or scope of your business. For example, if your organization had numerous contractual agreements with specific security and data privacy provisions, you may wish to add a component called contract law. The subcomponents would not change, as they are designed to support any component of the model. Components represent areas of practice that are ongoing and require specific attention, updates, and support events that can have a material impact on your business. You would not want to add a component that would be used only once, because the model is not project-oriented. The following describes each of the model’s components: • Cybersecurity Law: Concerned with how your organization adheres to the legal and regulatory statutes associated with cybersecurity. • Data Privacy Law: Concerned with how your organization abides by state, federal, and international data privacy laws.

•

• •

Cryptography Law: Concerned with how your organization protects data-at-rest and data-in-transit according to geographical residency or data transit provisions, data privacy, and cybersecurity laws. Forensics Law: Concerned with how your organization conducts digital investigations in a manner required to produce legally admissible evidence. Cyber Liability Insurance: Concerned with how your organization hedges civil lawsuits associated with data breaches through the use of specialized liability insurance.

By design, not all components of the model are required, because cybersecurity law requirements may differ between organizations. The model also removes much of the complexity of complying with cybersecurity and data privacy laws by grouping common practices into their respective components. Data privacy law activities are consolidated into a single component rather than treating them as separate activities spread across multiple components. For example, cryptography is referenced within cybersecurity law and data privacy law components, but rather than duplicate these functions they have been consolidated in cryptography law. 6.1.1.2 Subcomponents The second level of the model are subcomponents, where essential shared resources are defined. For your program to be successful, resources must be assigned. Resources in the proposed model consist of the roles employees will assume to manage their day-to-day activities, policies that define the organization’s principles and positions on the law, procedures to ensure the program activities are executed predictably and repeatably, and technology to automate certain program activities. A knowledgebase is also shared among the components to make information uniformly available. Rather than maintain laws in each component, they are stored in the knowledgebase because a single law could be required in one or more components. The model is dynamic, meaning that any component may share any subcomponent interacting as needed. These interactions remove duplication of resources and functions. For example, the incident response plans residing within the procedures component may be shared with the data privacy or cybersecurity law components. The following describes each of the model’s subcomponents: • People: Defines the roles and responsibilities of the people required to operate the program. • Policies: Defines the principles and policies that guide the execution of the program. • Procedures: Defines the activities carried out by the people assigned to the program. • Technology: Defines the technology used to automate key activities of the program. • Knowledgebase: Defines the central repository where laws, regulations, contracts, and program support materials are maintained.

Subcomponents are organized into views, which collectively create the cybersecurity law program architecture. 6.1.2 Architecture The architecture is the design or blueprint of the program or its skeletal structure. Your program architecture will consist of three layers or views that segment subcomponents into business, functional, and technical views. Views are important as they describe the program from a stakeholder’s perspective. You may show your program to others within your organization, but unless relevance is immediately clear from their perspective, they won’t understand or even worse, may not support it. I think you will agree that explaining your program from the technical view to the legal department will result in a few glazed-over looks. • Business View: Concerned with the people assigned to implement the program’s activities to ensure legal, regulatory, and contractual compliance. Policies define the business rationale and principles which guide the program’s activities. Key stakeholders in this view consist of legal counsel, senior management, and those who directly oversee cybersecurity and privacy. • Functional View: Concerned with how the program functions on a day-to-day basis as well as during critical times of escalation or key events such as a lawsuit. Key stakeholders in this view consist of managers of cybersecurity, data privacy, incident response, insurance, and legal. • Technical View: Concerned with what technology is used and how it is deployed and operated to support the program. Key stakeholders consist of security engineers, security architects, operations management, and application developers. You have heard that a picture is worth a thousand words; an architectural depiction is no different. The architecture clearly and concisely presents how your cybersecurity law program is structured and how it supports the views of your organization’s key stakeholders. Figure 6-2 is a visual representation of a cybersecurity law program architecture consisting of business, functional, and technical views.

Policies

Senior Legal Counsel

Privacy Officer

Insurance Risk Manager

Cyberlaw Librarian

Cyberlaw Analyst

Cybersecurity Analyst

Cryptography

Digital Forensics

Data Privacy

Cyber Liability Insurance

Chief Security Officer

Functional View

Procedures

Subcomponents

People

Business View

Encryption Export Filings

Document Preservations

Forensics Investigations

Data Breach Notifications

Legal Hold Orders

Data Beach Claims

Technology

Technical View

SharePoint

Lexus Nexus

eDiscovery Software

RSS Feed

Legal Privilege Email

Forensics Software

Privacy Scanning

Figure 6-2. Cybersecurity Law Program Architecture 6.1.3 Program Staffing and Roles Any successful initiative or program begins with the proper assignment of personnel; a cybersecurity law program is no different. For the most part, you should be able to assign virtually all roles to existing employees. Your goal should not be to create a bureaucratic structure, but rather a virtual, collaborative team comprised of legal, insurance, privacy, and

cybersecurity employees. In some cases, you may be able to assign multiple roles to a single individual depending on the size of your organization and level of annual or ongoing legal activity. Ultimately someone will need to lead the program; I recommend you appoint someone from the legal department. If your organization uses outside counsel, the next logical person to lead the program would be either the chief privacy officer (CPO) or chief information security officer (CISO). Anyone assigned to one or more of these roles should have the time to invest in implementing the program. Initially, there will be more work resulting from the collection of laws and regulations and cross-mapping to security and privacy controls. Afterward, the work effort will consist mainly of program updates, except during times of major events such as lawsuits. Figure 6-3 is an organization chart of the logical coupling of the roles. This is not a suggestion to realign existing organizational or reporting structures. Senior Legal Counsel

Cyberlaw Librarian

Cyberlaw Analyst

(Admin)

(Paralegal)

Chief Privacy Officer

Insurance Risk Manager

Chief Information Security Officer

Cybersecurity Analyst

Forensics Lead

Figure 6-3. Cybersecurity Law Program Organizational Chart

As shown in Figure 6-3, these are the roles that you will require for an effective cybersecurity law program: • Senior Legal Counsel: Accountable for the cybersecurity law program providing legal advice and oversight. May also have direct responsibilities for legal activities within various program components depending on the size of your organization and number of annual legal actions. This role will report lawsuit activities directly to the chief executive officer (CEO) and board of directors. • Cyberlaw Librarian: Responsible for maintaining a current repository of the laws and regulations covering data protection and privacy, cybersecurity, cryptography, digital forensics, service contracts, and trade agreements. It is typical for this role to be assigned to in-house or outside legal counsel. • Cyberlaw Analyst: Responsible for reviewing each of the laws, statutes, and regulations in the law library to determine their geographical applicability. The analyst will focus on reviewing each law for the specific language relating to the cryptography, forensics, data privacy, or insurance. TIP: Companies have had great success hiring interns or paralegals from local business or law schools to create the matrices and perform law mapping.

•

•

•

•

Cybersecurity Analyst: Responsible for identifying and implementing current data privacy and cybersecurity controls to support the provisions of the laws and regulations. The analyst builds upon the work completed by the cyberlaw analyst by aligning and documenting controls mapped to the applicable laws and regulations. Chief Privacy Officer (CPO): The CPO is a key role within the program because many of the laws and regulations deal with the protection of information. The CPO may assume the responsibilities of all privacy related activities depending on the manner in which the position is presently structured. This could include the collecting and mapping of laws and regulations related to privacy. The CPO will have significant influence in the selection of privacy-preserving technology deployed to protect information while it is in use. Insurance Risk Manager (IRM): The IRM role owns the cyber liability policy and is responsible for ensuring that your company complies with all of the required provisions of the policy. The IRM will evaluate each claim situation and, in collaboration with senior legal counsel, determine if a claim can be made. The IRM is also responsible for performing exposure analysis and maintaining oversight of the self-insured loss pool. Chief Information Security Officer (CISO): The CISO has direct accountability for the cybersecurity analyst and forensics lead ensuring a system of checks and balances. The CISO verifies the mapping of the controls to laws and regulations in consultation with the CPO.

•

Forensics Lead: This role is one where the primary activities begin after a data breach or cybersecurity incident. Nonetheless, the person in this role will need to be actively involved in pre-breach incident planning and integration of the rules of procedure with incident response plans.

6.1.3.1 Accountability Matrix Whenever there are multiple people involved in a program, disputes over roles and responsibilities are common. An effective way to resolve these disputes is through the use of a RACI diagram. RACI is an acronym for Responsible, Accountable, Consulted, and Informed. RACI charts are an easy way to clearly show the responsibilities of the roles of the personnel involved in the cybersecurity law program. • Responsible: This is the person who is primarily responsible for carrying out the activities of the role. More than one person can be responsible for a role given its complexity and level of effort. • Accountable: This person is the one solely accountable for the success of the activities within a role. Unlike responsible, there can only be one accountable person per role. They also play the role of the verifier, ensuring the activities of the role are performed correctly. • Consulted: These people, and there can be many, are consulted to ensure that activities are carried out based on the best advice available. People consulted can be outside the company if they play an ongoing role in the cybersecurity law program. • Informed: These people are informed of the decisions or actions of the program as part of the communications strategy. Informing others can be directly or indirectly through website postings. Figure 6-4 is how your RACI diagram will look once it has been populated and responsibilities assigned.

Figure 6-4. Cybersecurity Law Program RACI Diagram 6.1.4 Program Policies A series of policy statements will be required to support the cybersecurity law program. These statements describe how your organization will address the various aspects of the cybersecurity law program. Policies differ from procedures: policies are descriptive and procedures are prescriptive. Your existing policy format should be used, or you may follow the format example noted in the tip below. One of the goals in creating this program is to integrate the cybersecurity

law program requirements into your existing cybersecurity program. Remember that not all policy statements may apply to your situation. TIP: If you desire additional examples of how to create policies, the SANS Institute’s Security Policy Project has made available excellent sample policies that you may use as a template.

It is likely that your organization has some form of security policy manual. However, you may not have the specific policy statements to cover the areas of cybersecurity law. Should you find these types of statements missing in your policy manual, I have drafted several policy statements that can be used to supplement your existing policy manual. These policy statements do not constitute a full policy, but only the statement. You will need to customize these statements to bring them into alignment with your current policy manual format. • Cryptography. The following policy statements cover eight specific areas of cybersecurity law and cryptography introduced in Chapter 4 of this book: o Cryptography Patent Infringement: No cryptography algorithms shall be used unless the patent has either expired or the company maintains a valid license. License arrangement must meet the expected use of the product or service life as well as comply with export control guidelines. o Encryption Personal Use Exemption: Travel by employees to countries that do not extend personal use exemptions will require authorization by the legal department and the filing of an encryption import license. o Export Control Law: Software or hardware products containing an encryption level higher than 512-bit key encryption will not be sent or used outside of the US in compliance with Export Administration Regulations. o Healthcare Data Privacy: Personal healthcare information (PHI) of employees or customers, regardless of the Health Insurance Portability and Accountability Act (HIPAA) compliance requirements, will be encrypted with an algorithm and processes prescribed by the company’s PHI risk assessment. o Import Control Law: In the event travel or equipment deployment is required within an import restricted country, an appropriate license will be filed, and only after US Department of State approval will the activity proceed. o International Encryption Law Compliance: Data sent to and stored in foreign countries will comply with all local encryption laws. If local encryption law requires a lower level of key length than currently used, an application for an export license will be necessary. o Key Disclosure Laws: Employees traveling to countries that require key disclosure will abide by all local encryption laws including providing the password to decrypt information requested by local authorities. Any time a request is made the employee will immediately notify the legal department.

•

•

o State Encryption Safe Harbor Provisions: Encryption of personal data at a level meeting or exceeding the highest level key length of any state will be followed to ensure compliance with all state safe harbor provisions. Data Privacy. The following policy statements cover three specific areas of cybersecurity law and data protection introduced in Chapter 3 of this book: o Federal Children’s Online Privacy Law: Applications or systems that interact with minors (13 and under) will comply with the standards of the Internet Keep Safe Coalition (iKeepSafe), a nonprofit international alliance of advocates for children, established in 2005, and its Safe Harbor program under the Children’s Online Privacy Protection Act (COPPA). o Privacy Law Library: A current library of state, federal, and international privacy laws will be maintained. Cross-mapping will be performed on each law to facilitate an understanding of which law applies to which geographical coverage of operations or customers. A cross-mapping of security controls with legal requirements will be maintained to ensure alignment with the cybersecurity program. o State Minor’s Privacy Acts: Applications or systems that interact with minors (17 and under) will abide by all provisions of any state’s child privacy law including prohibiting the sale of dangerous products and complying with requests to remove personal data. Digital Forensics. The following policy statements cover five specific areas of cybersecurity law and digital forensics introduced in Chapter 4 of this book. o Digital Best Evidence Rule: Digital evidence will be gathered according to the Federal Rules of Evidence under the oversight of the legal department. o Digital Chain of Custody: To ensure evidence in a cybercrime investigation is admissible in a court of law, all evidence will be gathered according to the US Department of Justice’s Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations manual under the oversight of the legal department. o Digital Data Spoliation: In the event of a pending lawsuit or issuance of a preservation order, no employee or contractor will destroy or alter in any way the data identified by the court order. o Preservation Order: Once a preservation order has been received, no action will be taken unless and until the direct oversight of the legal department has begun. All documents requested will be secured in a manner as to preserve them for plaintiff discovery. o Search and Seizure of Encrypted Data: If a discovery order is received to produce information, full cooperation will be provided to the plaintiff’s legal counsel and the data will be decrypted and submitted. This process can only occur under the direction of legal counsel.

•

Cyber Liability Insurance. The following policy statements cover two specific areas of insurance introduced in Section 6.2 of this chapter: o Cyber Liability Insurance Policy: The company will carry a cyber liability insurance policy for up to $5 million above the self-insurance loss pool of $1 million with a $100,000 per loss deductible for third party losses. o Annual Coverage Assessment: An annual assessment of cyber liability coverage will be performed taking into account the estimated loss exposure for a data breach based on the projected number of compromised records in the next physical year.

6.1.5 Program Procedures A procedure corresponding to each cybersecurity law policy will be required to ensure that the guidance of the policies is carried out in a predictable, repeatable manner. Procedures are the prescriptive guidance on how an activity should be completed to accomplish the desired outcome. A procedure format that I have always felt was the most comprehensive was based on the Information Technology Infrastructure Library (ITIL) standard. ITIL is a set of practices for Information Technology Service Management (ITSM), which provides guidance on aligning information technology with the business. One of the areas where ITIL excels is documentation including procedures, processes, tasks, and checklists. Table 6-1 is a sample ITSM-based procedure which you can use as a template to create other procedures. Table 6-1. Sample Procedure Name Purpose

Exclusions Scope

Prerequisites

Responsibilities

Digital Evidence Procedure Legally Obtaining and Managing Digital Evidence The purpose of this procedure is to identify the specific tasks necessary to ensure compliance with state and federal laws of digital evidence gathering and preservation. This procedure does not replace existing forensics or incident response procedures and only addresses the legal aspects of digital evidence. This procedure applies to all electronic information residing in applications (Microsoft Office, etc.), cloud storage, databases, emails, files, storage devices, text messaging, USB drives, web pages, or any other computer generated or stored data. Performing this procedure will require one or more of the following forms obtained from the legal department: 1) Data Preservation Letter; 2) Request for Production of Documents; 3) Letter Appointing Third Party Neutral Expert; 4) Deposition Notice; 5) Interrogatories; 6) Non-waiver and Confidentiality Agreement; 7) Custodian Interview Sheet; and 8) Onsite Detail Gathering Questionnaire. Note: Provide links to documents in your knowledgebase. The following personnel have been identified to perform the required activities within this procedure: 1) Legal Counsel; 2) Cybersecurity Program Manager; 3) eDiscovery Lead; 4) Security Analyst; 5) Data Storage Manager; 6) Forensics Expert; and 7) Private Investigator. Note:

Processes Tasks

References

Definitions

Some of these roles may reside outside of your RACI as they are not directly part of the cybersecurity law program. Include a process flowchart. The diagram consists of activities connected by decisions points. Step 1) Secure Digital Evidence from Further Use; Step 2) Begin Evidence Log; Step 3) Contact Forensic Expert; Step 4) Assign Legal Counsel Representative; Step 5) Complete Best Evidence Log; Step 6) Begin Best Evidence Collection; Step 7) Start Chain of Custody Log; Step 8) Secure Evidence; and Step 9) Video Document Process. During the execution of this procedure, it may be helpful to reference the following policies, laws or government standards: 1) Title 18 Crimes and Criminal Procedure; 2) California digital forensics statute; and 3) the US Department of Justice’s manual, Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations. Note: Provide links to documents in your knowledgebase. The following terms may not be familiar to all personnel executing this procedure: 1) Best Evidence: Digital content that can be proven to represent the most authentic evidence; 2) Spoliation: Any erasure, alteration or modification of digital information to alter the course of a lawsuit.

6.1.6 Program Technology Technology can be leveraged to improve the effectiveness of the people executing tasks within the program. You should consider where it makes sense to invest in the right tools to reduce the manual effort to accomplish the many activities required of the program. You should also remember that technology is not a silver bullet and that not all tasks need to be automated. Consider that today 41% of organizations manage their legal programs using manual or semiautomated methods such as Microsoft Office products (Harris, 2016). To read more about how companies automate their lawsuit case management, access Zapproved’s 2016 survey of how companies automate their law programs. Some of the more critical areas to automate would be in the elimination of data spoliation and breaks in the chain of evidence custody. To help you determine the types of technology to consider, I have highlighted below some of the most widely used in similar programs. 6.1.6.1 eDiscovery Software Organizations that expect involvement in several data breach lawsuits or regulatory inquiries over the course of a year may wish to consider a software product specifically designed to manage the litigation process. Electronic discovery (eDiscovery) software ensures the best possible outcome from the gathering to the management of digital data discovery. These products include capabilities for legal holds, digital data collection, processing of evidence, analysis of evidence, and review and production of court documents. Within your company lives vast amounts of potentially discoverable information. If your business maintains documents in

foreign languages, you will need a solution that also searches in native languages to accommodate discovery requests globally. The eDiscovery software is designed to support Rule 34 of the Federal Rules of Civil Procedure. What is important for you to know about this rule is that when your company is involved in a lawsuit and under discovery, you must produce any pertinent electronically stored information. Electronic data consists of memos, emails, network diagrams, PowerPoints, Excel spreadsheets, and any other data the plaintiff requests in their discovery motion. This essentially means that if you store it electronically, it potentially can be discovered. In 2015, the Federal Rules of Civil Procedures added several new requirements. You will need to ensure that your company is advised by a law firm that understands the differences in the old and the new rules to avoid having evidence or even a case dismissed for circumstances related to poor procedures. Spoliation sanctions are substantially more severe when parties do not preserve their electronic data. Another change in the rule is to ensure that discovery requests are not overly broad and are proportional to the specific issues in the case (Grounds, 2015). Several other changes related to the speed at which discovery data must be submitted and its accuracy may lead you to adopt an eDiscovery platform sooner rather than later. The eDiscovery software allows you to securely upload documents for disclosure creating an index and inventory of the data. These programs are also designed to search vast volumes of data looking for specific terms or data specified in the discovery or preservation order using sophisticated data analytics. One of the unique aspects of these products is that they learn and adapt during the searches, expanding discovery to other digital data that may be relevant through learned relationships. For example, if your company is involved in a contract dispute, you may be focusing only on the contracts and not the interactions with those contracts. The eDiscovery software will search for relationships with the contract in question, looking for such connections as to who downloaded copies, wrote related emails, or created supporting memorandum. TIP: Ensure that a comprehensive data retention and data retirement policy and practices are in place to prove to a court that any data destroyed was a result of company policy and not purposeful spoliation.

6.1.6.2 Program Knowledgebase Your program will require a significant quantity of documents that will need to be stored and easily accessed by program participants. One example is that all of the laws to which you will need to adhere should reside in a document repository such as Microsoft’s SharePoint where they can be meta-tagged or indexed with appropriate search criteria. SharePoint is a product that serves as a secure document repository that stores and organizes virtually all forms of information. Meta tagging is a way to tag or flag a document with keywords so that anyone searching for that kind of information may locate it. When flagging your documents in the

knowledgebase, you should use minimum standard search criteria of keywords to include. Table 6-2 provides you with a starter set of keywords to use for meta tagging your documents. Table 6-2. Sample Document Meta Tags Category of law Civil, criminal, contract Program component Cryptography, forensics, data privacy, insurance Document attributes Effective date, owner, source, review cycle Geographical City, county, state, country applicability Jurisdiction State, federal, international, municipal, regulatory Document type Agreement, contract, law, regulation, statute, treaty

It would not be uncommon for the repository to contain over one hundred laws and regulations alone. Add to that all the policies, procedures, and reference material, and you may need to manage over 500 documents making a central knowledgebase essential. TIP: Within the geographical applicability field, the estimated number of customers or business operations should be noted. This will support the decision process of determining when to make a data breach notification because data breach notifications are based on the number of affected records or customers.

6.1.6.3 Legal and Regulatory Update Subscription Maintaining currency with this number of legal documents as well as knowing when laws are introduced can be a time-consuming endeavor. One way to automate this process is to obtain a subscription from either Thomson Reuters’ Westlaw or RELX Group’s LexisNexis. A less expensive way of acquiring and updating the numerous documents required would be to search for them individually and then where possible setup a Really Simple Syndication (RSS) feed to be alerted to changes in various documents supported by the feed. RSS is a technology used to track websites and stream updates to a data repository, such as a spreadsheet or database. This makes keeping up with changes in the law more efficient. The following are some (free) sources for gathering and maintaining legal documents for your law library: • Code of Federal Regulations. • Federal laws. • International data breach laws. • State data breach laws. • Supreme Court. 6.1.6.4 Policy Compliance Scanning Once you have identified and deployed all the cybersecurity and privacy controls that are required to adhere to your applicable laws and regulations, you will want to ensure they maintain a stable state. Attempting to do this manually is nearly an impossible task. Thankfully there are

products and services available that can scan your network testing your cybersecurity and privacy controls to the policies you established to maintain compliance. Policy scanning is available as a cloud-based service or a standalone product you run yourself. These products and services work by allowing you first to define the policies that you wish to enforce. Next, they scan your network, databases, servers, and applications looking for and testing those controls to verify they are deployed and working. Policy scans can be outside or behind your firewall. Your scan history is stored securely so you can prove which security controls were in place and work at the time of a data breach if your cybersecurity program effectiveness is called into question in a lawsuit. 6.1.6.5 Forensic Toolkits When conducting data breach investigations, your organization will require a forensics toolkit to either identify evidence destroyed by employees or create evidence according to the best evidence rule. These tools work by saving an image of a hard disk and confirming the integrity of data during the process to produce legally admissible evidence. Whichever product you decide to use, it should be one that will hold up to legal scrutiny. Two such products that I have used in the past, Forensic Toolkit and EnCase Forensic are both court-cited digital investigations products. A comprehensive list of forensic toolkits can be found at http://www.forensics.nl/toolkits. 6.1.7 Mapping Legal Requirements to Controls You will find that an important activity within the program is mapping cybersecurity and privacy controls to specific provisions of the various laws and regulations to which your company must abide. This can be accomplished through the use of a Microsoft Excel spreadsheet. Begin by examining each law and flagging instances where a specific requirement is cited. Then review the laws that relate to a legal or regulatory requirement to implement data encryption. Next, inventory the specific provisions related to encryption. Once your spreadsheet is completed, you can align your existing controls to comply with those requirements. Table 6-3 is an example of mapping using the cryptography law component. Table 6-3. Cryptography Control Mapping Legal Provisions of Complying with Cryptography Law Law Legal Requirement Current Control or Standard State Encryption Safe Encryption key-bit length 512-bit standard is adopted. Harbor Provisions requirement of 128-bits or higher. Children’s Online Self-regulatory safe harbor iKeepSafe safe harbor program Privacy Protection Act framework. deployed.

Wassenaar Arrangement

Personal use exemption.

UK Key Disclosure Law

Submit data encryption key upon request of law enforcement. NIST encryption standard requirement for PHI data at rest.

HIPAA Security Rule

Employee work-related travel restricted to Canada, Japan, and the UK. Key disclosure policy and procedure published in the policy manual. Company-wide adoption of NIST SP 800-111.

This mapping will allow cybersecurity program personnel to verify and align security and privacy controls to ensure cybersecurity law compliance. TIP: Check out the Unified Compliance Framework® (UCF) for products offered on mapping cybersecurity and privacy laws to internationally accepted controls such as ISO 27002 and NIST SP 800-53.

6.1.8 ISO/IEC 27002 on Compliance Controls If you would like to reference a standard for the further definition of your cybersecurity law program, I enourage you to acquire the current version of ISO/IEC 27002, Information technology – Security techniques – Code of practice for information security controls, at the ISO Store. Subsection 18.1, Compliance with legal and contractual requirements, focuses on deploying controls to avoid violations of laws and regulations, as well as contractual obligations. The controls will guide you in: • Identifying and analyzing applicable laws and regulations. • Implementing protection for intellectual property. • Deploying an approach to protect organizational records. • Identifying and protecting personally identifiable information (PII). • Identifying and complying with cryptography rules and regulations. 6.2 Cyber Liability Insurance Cyber liability insurance policies evolved from errors and omissions (E&O) insurance policies. Twenty years ago companies could purchase policy riders for software failures, unauthorized access to systems, destruction of data, and computer viruses. Early policies were referred to as network security or Internet liability policies. At the beginning of 2005, policies emerged to provide coverage for data breach incidents. These policies were particularly popular with retailers who held a significant amount of exposure from the credit card data they held and processed. Based on customer demand, insurance companies launched cybersecurity and privacy liability policies. It is estimated that one in three companies now has some form of data breach insurance policy (DiCanio, 2015). According to AIG, insurance underwriters collected $1.6 billion in premium income in 2015. Allianz projects premium income to grow to $20 billion by 2025 (Ramsinghani, 2016). In my experience with customers, premiums can range from $15,000

to $50,000 for one million dollars in coverage depending on risk. Cyber liability policies can include the following components: • Errors and Omissions: This type of insurance covers non-fraudulent causes of failures or errors occurring in the performance of computer services. Technology companies offering cloud, software, or consulting services typically acquire this type of insurance. • Media Liability: This type of insurance covers customer injury claims resulting from intellectual property infringement, copyright or trademark infringement, libel, and slander. Coverage could also be extended to patents or trade secret violations. This coverage is important to organizations with sizable online presences. • Network Security: This type of insurance covers network equipment failures or external attacks against your network including denial of service attacks. Network outages or breaches covered can include data breaches of consumer information, cyber extortion, data alteration or destruction, or malware infestations. • Privacy: This type of insurance covers breach of physical records caused by theft, loss, or accidental disclosure. Other incidents that may be covered include improper disposal of equipment containing sensitive data and inadvertently collecting confidential information. • Network Security and Privacy Liability: This type of insurance is a hybrid policy that also provides coverage for both the insured company and their third-party service providers. It covers the costs for responding to and recovering from data breaches, including penalties assessed from a lawsuit. 6.2.1 Coverage Categories Cyber liability policies can be acquired to cover either first party losses, i.e., losses your company experiences solely, or third party loses, i.e., losses that others experience as a result of your data breach. Before determining what type of policy is best for your company, it is important to include areas of coverage that you have identified from your business impact or risk assessment. This will allow you to align appropriate levels of insurance without over or under insuring for losses. Table 6-4 presents coverage available for first or third party losses. Table 6-4. First and Third Party Loss Coverage First Party Losses • • • • • • •

Cost to pursue indemnity rights. Crisis management expenses. Data ransom. Data recovery. Good faith advertising. Forced cybersecurity program oversight expenses. Hiring forensic experts.

Third Party Losses • • • • •

Compromised intellectual property loss. Costs of responding to regulatory inquiries. Data transfer losses. Impaired access. Lawsuit settlements.

• • • •

Hiring of private investigators. Litigation defense. Loss of profits caused directly by the breach. Making legally required data breach notifications.

• • •

Liability to financial institutions for reissuing credit or debit cards. Offering credit monitoring services as part of a settlement. Regulatory fines.

These categories also align to first or third party related expenses. Once again, first party expenses are your direct costs; third-party costs are those costs relating to those whom your company’s breach may have harmed. You will need also to focus on what is covered within each of these categories. For example, even though you may have a $5 million policy, you may only have $100,000 coverage for forensics related costs. This would be an example of a sublimit. A sublimit is an amount of insurance coverage available to cover a specific type of loss. I have seen customers become quite upset when they realize their $5 million of coverage only allows $250,000 for a particular loss event. Your risk assessment should guide you to which policy categories you should focus on. Also consider insurance based on your company’s residual risk. Residual risk is the risk that is left after you have applied all your security controls. For example, if you have a risk score of five (or moderate) according to a point scale for a data breach, it may be sufficient to have a sublimit for $250,000 of data breach related costs. However, after you apply compensating controls and your risk score remains at eight, you may want to increase the coverage sublimit. If you have the money and you don’t want to have to worry about sublimits, you can always acquire a blanket insurance policy. Some of the most expensive policies offer blanket coverage with no sublimits. You will also need to consider the deductibles for each sublimit to make sure you are not paying for insurance that, in reality, you could never use because the deductible pays for a specifically categorized area of coverage. Because deductibles can vary widely, you would do best to shop for policies. You will also need to read the fine print because there will be various conditions for each claim. Examples of these conditions include the period your network is down for a denial of service attack, how complete your security controls are, and even if you were completely truthful on your policy application. Some businesses have learned that filing a data breach claim against their commercial general liability or property insurance policies is problematic and there is no guarantee their claim will be approved. Insurance companies have claimed these types of policies were never meant to cover data breaches and began commonly including data breach exclusions in new and renewed policies. Insurance companies have a long and litigious history of denying claims where customers have claimed their electronic data is property and subject to coverage under their

general loss policy. You will need to decide if you are willing to gamble that your existing policy will cover a data breach or be proactive and conduct a thorough policy review to understand how your policy performs in the event of a data breach. 6.2.2 Policy Restrictions As with anything in life, nothing is without boundaries, and cyber liability insurance policies are no exception. As with most types of insurance policies, consequential or abstract losses are not covered. Insurance companies are going to need concrete demonstrations of loss similar to how courts have ruled that victims of data breaches need to prove a real loss. The following categories of loss, although very real, are not likely to be covered by your insurance policy: • Claims based on subsequently proven inadequate security controls. • Claims made on invalid or untruthful policy application declarations. • Costs of upgrading failed security systems. • Intangible calculations for loss of your company’s reputation. • Intrinsic loss of intellectual property. • Projections for loss of future revenue. You should conduct a business impact assessment (BIA) of your company’s exposure to uninsured coverage losses. Treat the cyber insurance policy restrictions mentioned above as vulnerabilities in the context of a risk assessment. 6.2.3 Policy Value Many of us view insurance as a painful expense that may never be needed. Cyber liability insurance is a bit different in that the policy provides some services that most companies don’t think of when they start considering acquiring such policies. Insurance companies offering these types of policies have a vested interest in your company (1) not getting compromised, and (2) recovering as quickly as possible with the least cost. A cyber liability insurance policy can help even when no claim exists by providing: • Access to cyber breach lawyers. • Access to cyber breach forensic experts. • Access to pre-breach risk avoidance advice. • Advice on limiting exposure to cyber breach lawsuits. • Access to cyber breach documentation portals. 6.2.4 Policy Cost The cost of cyber liability insurance is based on risk consisting of industry threat profile and loss history, current cyberattack safeguards, the sensitivity of data retained, and requested levels of coverage. Based on these factors, the cost varies widely even among insurance companies offering these types of products. To provide you with a basis of cost, I analyzed cyber liability insurance policies from 35 companies across seven industries with an average of $138.8 million

in annual revenues. The raw data for this analysis came from a website posting from Cyber Data Risk Managers LLC (Marciano, 2016). The average policy amount was $3.71 million with an average annual premium of $20,309. Each dollar of cyber liability insurance costs these companies less than one-half cent. You can use this data to arrive at a rough order of magnitude estimate for what a cyber liability policy would cost your business. The following are some additional facts from my research: • The majority of policy coverage limits came in increments of $1 million, $2 million, $5 million, and $10 million. • Financial companies paid the highest premiums followed by technology companies. • Services companies paid the least in premium payments. • Technology companies purchased the highest levels of coverage, followed by retail. • Healthcare, technology, and services companies bought the majority of the policies. The significant increase in cyberattacks has caused insurers to increase the cost of cyber liability insurance premiums as well as raise deductibles. Averages rates for retailers rose 32% in 2015 (Finkle, 2015). Cyber liability policies are available up to $100 million; however, keep in mind, the more coverage you seek, the more due diligence the insurance company will do in advance of issuing a quote. 6.2.5 Policy Claims To understand where companies have made claims against their cyber liability insurance policies I looked to the 2015 Cyber Claims Study produced by NetDiligence, a cyber risk assessment and data breach service company. The study was based on an analysis of 160 companies that made claims against their policies as reported by the underwriters who approved the claims. Please note that data breaches are commonly reported in terms of compromised records, meaning that a single breach could include millions of records. The following are the key findings from this report: • Average breach claim was $673,767. • The average payout for crisis services was $499,710. • The average claim for a large company was $4.8 million. • The average claim for a healthcare company was $1.3 million. • The average cost of a claim by individual record (that is, the total cost of the breach divided by the total number of affected records) was $964.31. To gain more insight on how others have used their cyber liability insurance policies, I encourage you to read this important report available at https://netdiligence.com/wpcontent/uploads/2016/05/NetDiligence_2015_Cyber_Claims_Study_093015.pdf.

TIP: Calculate data breach costs based on the estimated number of impacted records and the average cost of remediation based on the NetDiligence data loss numbers presented within their 2015 report.

6.2.6 Policy Claim Disputes As popular as cyber liability insurance is, it is not without its controversy. In some widely publicized cases, insurance companies or claimants have sued one another after a breach either looking to avoid paying or enforcing their policy to receive payment. One such case, CNA v. Cottage Health, was discussed in Chapter 2. If you have ever renewed an insurance policy after you have had a claim, you know that it can be problematic with insurance companies wanting to drop you or raise your rates. Cyber liability insurance companies are no different. Companies have publicly reported that insurers have either refused to renew their policies or substantially increased their premiums or deductible amount. The following are some of the reasons that insurance companies have denied paying on data breach claims: • Failing to have a certified and qualified security professional in charge of cyber security. • Failing to perform vulnerability scans at regular industry accepted periods. • Failing to follow accepted industry security standards such as Payment Card Industry Data Security Standard (PCI-DSS). • Failing to adhere to policy provisions. • Failure to pay premiums on time. • Failing to exhaust provisions of other related policies such as general liability policies. • Failing to meet the self-funding provisions of the policy. It will be critical for you to work closely with your insurance broker or company risk insurance manager to understand how to comply with the provisions of the policy and avoid denial of a claim. It is also important to understand what type of coverage may be included in your commercial general liability (CGL) policy. 6.2.7 Policy Lawsuits Described below are some interesting court cases involving insurance and claimant’s lawsuits. 6.2.7.1 P.F. Chang’s v. Travelers Indemnity Co. Travelers Companies filed a lawsuit against their customer P.F. Chang’s China Bistro, Inc. stating that it is not obligated to cover defense costs related to the restaurant chain’s 2013 data breach of over seven million customer records. Travelers claimed that the chain had a separate cyber liability insurance policy that they had not made a claim against and that the chain had not met its liability self-funded retentions endorsement of $250,000. What is important about this case is that insured companies will need to understand how insurance policies from different companies treat their claim, as well as their need to ensure they exhaust all their policy obligations before making a claim (Sturdevant, 2014). You need to understand how primary and

subordinate policies pay claims and what provisions may exist that could cancel out certain policy features such as self-funding endorsements. 6.2.7.2 Recall Total Information Management Inc. v. Federal Insurance Co. In this case, the Connecticut Supreme Court ruled that there was no coverage for the loss of computer tapes containing IBM employees’ PII when they fell out of the back of a Recall courier van. The court stated that there was no evidence that the data was accessed and subsequently there was no harm. What is important about this case is that insured organizations will need to prove PII was compromised to receive payment on a claim (Lavine, 2014). 6.2.7.3 Retail Ventures v. National Union Fire Insurance Co. National Union Fire Insurance filed an appeal in the United States Court of Appeals for the Sixth Circuit requesting that a previous judgment of $6.8 million plus expenses be vacated. In this case, DSW Shoe Warehouse, Inc. was awarded $6.8 million in stipulated losses to be paid by the insurer under their blanket crime policy for a 2005 hacking incident after the insurer refused to pay. The costs incurred by DSW were related to expenses related to resolving the breach, compensating customers, and payment of fines. The court ruled for DSW denying the insurer’s appeal. What is important about this case is that the court ruled that an insurer’s non-cyber but general commercial crime policy covered thirdparty losses resulting from a large-scale computer hacking attack. Until insurers close this gap in policies, insureds will have a basis to obtain coverage under their non-cyber policies (Greenwald, 2012). 6.2.7.4 Travelers Property Casualty Company of America, et al. v. Federal Recovery Services, Inc., et al. Here the District Court of Utah ruled that Travelers has no obligation to defend two service companies (Federal Recovery Services Inc. and Federal Recovery Acceptance Inc.) in a suit alleging they withheld customer information from Global Fitness Holdings, LLC. The judge stated that Travelers CyberFirst policy was not applicable as there was no damage resulting from errors, omissions, or negligent acts. The lawsuit the service firms sought to have Travelers defend against involved none of these insured causes. The facts of the case were the service companies purposefully withheld Global’s member data for money while they were being acquired by LA Fitness, subsequently interfering with the purchase transaction. What is remarkable about this case is that insured companies need to understand that first party claims based on fraud are not covered (Anderson, 2015). 6.2.7.5 Universal Am. Corp. v. National Union Fire Ins. Co. In this case, the insurance carrier denied a claim relating to losses incurred for fraudulent use of the insured’s computer systems. Universal made a claim under their computer fraud policy to cover losses caused by several healthcare providers who accessed their systems and fraudulently

processed $18.3 million in bogus Medicare Part D claims. The court ruled that the computer fraud policy applied to wrongful acts in the manipulation of the computer system, i.e., by hackers, but did not cover fraudulent acts by authorized users of their systems. This case highlights why it is important to closely examine insurance policies, including the insuring agreements, definitions, and exclusions. (Wolin & Sessions, 2013). 6.2.7.6 Zurich Insurance v. Sony Here Zurich refused to pay a commercial general liability (CGL) claim related to Sony’s wellpublicized 2011 hacking incident of their PlayStation Online Services stating they had no duty to defend the resulting litigation. Sony claimed that their policy provided for payments in cases where the disclosure of personal data through oral or written publication was a covered event. Zurich disagreed arguing that this provision only applies to Sony employees and not third parties or in this case the hackers that stole the customer data. The judge ruled that a claim would require an act or conduct by the policyholder for the coverage to be in force. What is important about this case is that insured companies should know the differences between first party and third party acts when making a claim (Greenwald, 2014). As these examples clearly indicate, the devil is in the details or in these cases the fine print of their cyber liability policies. Summary The volume of data protection disputes could rise by six times within five years according to a 2016 study by the School of International Arbitration at Queen Mary University of London and the Pinsent Masons law firm (Millman, 2016). This startling statistic should compel you to create a cybersecurity law program to prepare your organization to defend against an increasingly probable event – a data breach lawsuit. In this chapter, you have seen examples of a program model, an architecture, and an organization structure. These are the building blocks you will need to begin your project of creating a cybersecurity law program. However, you must keep in mind that even the best thought out cybersecurity law programs cannot deter every lawsuit. This is where cyber liability insurance plays an important role. Creating an important program such as this does not happen overnight; it takes planning, investment, and time. It may be easy to become overwhelmed, but remember that small, steady progress is better than no program at all.

Your Next Step You may be asking yourself, “What is next?” Well, you are in luck. Understanding your current state of readiness is the essential first step. Go to Appendix A and complete the Cyber Tort Readiness Checklist. This will give you real insight into how prepared your organization is to defend against a data breach lawsuit. Next, review the Bill of Materials in Appendix A, which will show you what is necessary to construct your program by providing you an inventory of what you will require. Use the charts in this chapter as your guidepost for design. They will

allow you to visualize the result of your efforts in building a program. If you are lacking technology to automate aspects of your program, investigate some of the products I have mentioned throughout various chapters. When you are ready, staff your program using the sample organization chart and RACI diagram provided as your guide. Use the knowledge learned in this book to advise your organization on how to avoid a cyber liability lawsuit, and if your company is sued, be the voice of reason and have confidence you can guide the company to the best possible outcome.

References Anderson, R. D. (2015, May 21). Five takeaways from the first cyber insurance case. Retrieved from http://www.klgates.com/five-takeaways-from-the-first-cyber-insurance-case-05-212015/ DiCanio, M. N. (2015, May 19). Preparing for the inevitable: Insurance for data breaches. New York Law Journal. Retrieved from https://www.lowenstein.com/files/Publication/c8b97609-204a-4735-ae92dd3c4c292fb0/Presentation/PublicationAttachment/8ee423b0-aa5e-474d-9cb949a78ad1ec0c/Preparing%20for%20the%20Inevitable_Insurance%20for%20Data%20Br eaches.pdf Finkle, J. (2015, October 12). Cyber insurance premiums rocket after high-profile attacks. Reuters Technology News. Retrieved from http://www.reuters.com/article/uscybersecurity-insurance-insight-idUSKCN0S609M20151012 Greenwald, J. (2012, August 23). DSW Shoe Warehouse wins dispute with Chartis unit over data theft coverage. Business Insurance. Retrieved from http://www.businessinsurance.com/article/20120823/NEWS07/120829934 Greenwald, J. (2014, February 25). Zurich owes no defense in Sony PlayStation hacking: Court. Business Insurance. Retrieved from http://www.businessinsurance.com/article/20140225/NEWS07/140229914 Grounds, A. A. (2015, December 2). 2015 revisions to the Federal Rules of Civil Procedure are now in effect: 5 key practice pointers to meeting the new requirements. Retrieved from http://www.troutmansanders.com/2015-revisions-to-the-federal-rules-of-civil-procedureare-now-in-effect-5-key-practice-pointers-to-meeting-the-new-requirements-12-02-2015/

Harris, B. (2016, July). Legal hold and data preservation: Benchmark survey 2016 results. [White paper]. Retrieved from https://www3.zapproved.com/rs/503-UGJ486/images/Survey_2016_Legal_Hold_Benchmark_Report.pdf Lavine, J. (2014, January 20). Recall Total Information Management, Inc. v. Federal Insurance Company: Expenditures from data-loss event were not personal injuries. Connecticut Law Tribune. Retrieved from http://www.ctlawtribune.com/id=1202639170141/RecallTotal-Information-Management-Inc-v-Federal-InsuranceCompany?slreturn=20160924071512 Marciano, C. (2016, June 1). How much does cyber/data breach insurance cost? Retrieved from http://databreachinsurancequote.com/cyber-insurance/cyber-insurance-data-breachinsurance-premiums/ Millman, R. (2016, November 21). Legal experts predict 600% surge in data protection disputes. ITPro. Retrieved from http://www.itpro.co.uk/strategy/27612/legal-experts-predict-600surge-in-data-protection-disputes Ramsinghani, M. (2016, May 23). Can startups disrupt the $20 billion cyber insurance market? TechCrunch. Retrieved from https://techcrunch.com/2016/05/23/can-startups-disrupt-the20-billion-cyber-insurance-market/ Sturdevant, M. (2014, October 10). Travelers says liability policy doesn't cover P.F. Chang's data breach. Hartford Courant. Retrieved from http://www.courant.com/business/connecticutinsurance/hc-travelers-p-f-chang-data-breach-20141009-story.html Wolin, R., & Sessions, L. (2013, October 17). Computer crime insurance coverage: Can it cover fraudulent entries submitted by an authorized user? Lexology. Retrieved from http://www.lexology.com/library/detail.aspx?g=b4ef1d80-6483-4988-9d51524c87695ccc

Appendix A Useful Checklists and Information These lists are to guide you in your research. The author does not endorse any of the agencies, providers, or products listed here. Names of all products and companies are trademarked and are the sole property of the owners. Note: Links in all tables are current as of October, 2016. Table A-1. eDiscovery Software Table A-1 lists some eDiscovery software available to automate a cybersecurity law program. Product Company Key Features Deployment Supported Users Case Analytics Cloud, SaaS, 1 to 1000+ CloudNine CloudNine - Compliance Management Web Discovery

Discovery Attender

Sherpa Software

Logikcull

Logikcull.com

Nextpoint

Nextpoint, Inc.

Wind

E-STET LLC

- Document Indexing - Full Text Extraction - Keyword Search - Meta Data Extraction - Topic Clustering - Full Text Extraction - Keyword Search - Meta Data Extraction - Case Analytics - Compliance Management - Document Indexing - Full Text Extraction - Keyword Search - Meta Data Extraction - Topic Clustering - Case Analytics - Document Indexing - Full Text Extraction - Keyword Search - Meta Data Extraction - Topic Clustering - Document Indexing - Full Text Extraction - Keyword Search - Meta Data Extraction

Windows

1 to 1000+

Cloud, SaaS, Web

1 to 1000+

Cloud, SaaS, Web

1 to 1000+

Cloud, SaaS, Web

1 to 49

Z-Discovery

Zapproved, Inc.

- Document Indexing - Full Text Extraction - Keyword Search - Meta Data Extraction - Topic Clustering

Cloud, SaaS, Web

1 to 9

Table A-2. Cybercrime Reporting Agencies Should you need to notify external law enforcement agencies, see the list in Table A-2. Cybercrime Type Reporting Agency • FBI local office Child Pornography & • US Immigration and Customs Enforcement (Import Crimes) Exploitation • Internet Crime Complaint Center

Computer Hacking Incidents

• FBI local office • Internet Crime Complaint Center • US Secret Service

Copyright Piracy

• • • • • • • •

Internet Fraud & Spam

FBI local office Internet Crime Complaint Center US Immigration and Customs Enforcement (ICE) FBI local office Federal Trade Commission (online complaint) Securities and Exchange Commission Internet Crime Complaint Center US Secret Service

Password Trafficking

• FBI local office • Internet Crime Complaint Center • US Secret Service

Theft of Trade Secrets & Economic Espionage

• FBI local office

Trademark Counterfeiting

• FBI local office • Internet Crime Complaint Center • US Immigration and Customs Enforcement (ICE)

Table A-3. Cyber Tort Readiness Checklist Use Table A-3 to determine if your company would be prepared for a data breach lawsuit. No. Question Score Does an inventory of legal and regulatory statutes exist? 1 Has an assessment been completed of the penalties your company could incur for 2 3 4 5

violating legal and regulatory statutes? Intentional Cybercrimes against Persons: Does your company have a policy prohibiting cybersecurity torts consisting of cyberbullying, cyber defamation, cyberstalking, etc.? Cybertrespass to Chattel: Does your company have a policy prohibiting cybertrespass consisting of sending Spam, installing spyware, and causing denial of service attacks? Cyber-conversion: Does your company have a policy prohibiting session hijacking and using computer services not previously authorized?

6 7 8 9 10 11 12 13 14 15 16

Does your company have monitoring systems in place to detect intentional cybercrimes against persons? Does your company have monitoring systems in place to detect cybertrespass to chattel? Does your company have monitoring systems in place to detect cyber-conversion? Does your company use a risk-based approach to defend against data breaches? Does your company use commercially reasonable means to protect customer data? Does your company have a data breach incident response plan? Does your company have a data breach communications strategy? Does your company comply with data breach safe harbor provisions? Does your company have cyber liability insurance policy? Has your company’s board of directors approved your data breach incident response plan? Have your company’s legal counsel been actively involved with your data breach incident response plan?

Total Instructions: To arrive at your total score, assign a 1 for each yes answer and 0 to each no vote. To interpret your total score, see the chart below: Poor

0-4

Fair

5-8

Good

9 - 12

Better

13 - 16

Table A-4. Providers of Cyber Liability Insurance If you are considering cyber liability insurance, Table A-4 lists possible companies. Company Policies Risk Management Services • CyberEdge • Axio Global American International • CyberEdge Plus • BitSight Group, Inc.

Chubb Limited

Philadelphia Insurance Companies

The Hartford The Travelers Indemnity Company Zurich American Insurance Company

• Chubb Privacy Protection • Chubb DigiTech • Integrity+ • Cyber Security Liability Program

• Data Breach Insurance • CyberFirst o First Party o Third Party • Security and Privacy (S&P) Protection

• • • • • •

IBM Security Services K2 Intelligence RiskAnalytics Compliance Assessments Loss Prevention Portal Data Breach Plans

• • • • • • • • • • •

Breach Assistance Resource Directory Breach Notification Law Directory Breach Response Templates Breach Risk Assessment Breach Response Partners Data Breach Preparedness Website Cyber Risk Pressure Test Data Breach Coach Directory Data Breach Planning Resources Data Breach Coaches Data Breach Response Services

• NetDiligence Cyber Risk Assessments

Table A-5. Research Sources Access the sources of research in Table A-5 when creating your cyberlaw program. Resource Summary Internet Crime Complaint Center (IC3) annual report to aggregate 2015 Internet Crime Report

2016 Data Breach Litigation Report Cornell University Law School Data Breach Notification Laws

EU Cybersecurity Dashboard

United States Courts

Model Contract for Personal Data Transfer State Computer Crime Statutes

and highlight the data provided by the general public concerning Internet crimes. 2016 report covering 15 months of 83 data breach litigation cases. Portal for searching federal, state, and regulatory statutes as well as the US Code, Uniform Commercial Code (UCC), and world law. Inventory of 47 states, the District of Columbia, Guam, Puerto Rico, and the Virgin Islands have enacted legislation requiring private, governmental or educational entities to notify individuals of security breaches of information involving personally identifiable information. Study conducted by BSA | The Software Alliance, which includes analysis of the legal foundations of cybersecurity across 28 member states. The federal rules of practice and procedure govern litigation in the federal courts. This site provides access to the federal rules and forms in effect, information on the rulemaking process (including proposed and pending rules amendments), and historical and archival records. Sample contractual clauses approved by the Council and the European Parliament for transfer of data outside of the EU. Inventory of all available state computer crime statutes with links to respective state laws.

Table A-6. Digital Forensics Toolkits Digital forensics software is required to gather legally admissible evidence. Table A-6 lists some of the computer forensics toolkits on the market today. Product Company Summary AccessData Designed for law enforcement and corporate security professionals AccessData providing the ability to perform complete and thorough computer Forensic Corp forensic examinations. Features powerful file filtering and search Toolkit (FTK)

EnCase Forensic Edition

Guidance Software

functionality through customizable filters to sort through thousands of files to find the evidence. Advanced features for computer forensics and investigations through the use of an intuitive GUI. Provides investigators with the tools to conduct large-scale and complex investigations with accuracy and efficiency. Designed for non-invasive computer forensic investigations allowing examiners to manage large

P2 Commander

Paraben Corporation

Passware Kit Forensic

Passware, Inc.

SQLite Forensics Explorer

Acquire Forensics

volumes of computer evidence and view all relevant files, including “deleted” files, file slack, and unallocated space. Comprehensive digital investigation tool with over ten years of court-approved use by forensic examiners. An integrated database and multi-threading for fast processing. Includes email examination tools for network email and personal email archive analysis. Advanced features include data triage analysis, Xbox analysis, pornography detection, and more. A complete solution for encrypted evidence discovery, encryption analysis, password recovery, and decryption. Passware’s top selling products are widely used by law enforcement agencies and are included in Certified Computer Examiner training. Integrated toolkit includes email examiner software, email viewers, and data analysis solutions. Advanced features consist of MBOX, MSG, PST, OST, and DMG viewers.

Table A-7. Cyber Liability Stress Test Use the questionnaire in Table A-7 to perform a stress test to determine how well your cybersecurity, privacy, or legal practices would function in the face of real offenses. No. Scenario Score 1 Do monitoring practices exist to detect internal or external trade secret theft? 2 Do monitoring practices exist to detect real-time credit card number theft? 3 Can your security monitoring capabilities detect employees accessing or storing child pornography? 4 Can your security monitoring capabilities detect the installation and use of pirated software? 5 Do monitoring capabilities exist to detect unauthorized access of email accounts? 6 Could your company pass an OCR HIPAA Privacy Rule enforcement investigation? 7 Could your company pass an FTC COPPA enforcement investigation? 8 Could your company successfully defend a Fourth Amendment or ECPA violation lawsuit regarding monitoring employee activities? 9 Does your company have a policy to handle derivative lawsuits? 10 Does your company have a policy to support employees personally named in a class action lawsuit? 11 Does your company have a policy to protect whistleblowers? 12 Does your company monitor for cryptography export violations? 13 Do you know if your company is violating any cryptography patents? 14 Does your company have a legal privilege policy in place to prevent security assessment reports from discovery? 15 Will your cyber liability policy application show a true representation of your company’s security controls? 16 Has a coverage gap assessment been completed for your company’s cyber liability policy? Total

Instructions: To arrive at your total score, assign a 1 for each yes answer and 0 to each no vote. To interpret your total score, see the chart below: Low

0-4

Moderate

5-8

Strong

9 - 12

High

13 - 16

Table A-8. Cybersecurity Law Program Bill of Materials Table A-8 lists the components that you will require to create your cybersecurity law program. Components SubCybersecurity Data Privacy Cryptographic Forensics Cyber component Law Law Law Law Liability Insurance People (Roles)

Policies

Procedures

Technology

- Senior Legal Counsel - Cyberlaw Librarian - Cyberlaw Analyst - Cyber-security Law Program Policy

- Chief Privacy Officer

- Cybersecurity Analyst

- Forensics Lead

- Insurance Risk Manager

- Privacy Policy Statements

- Cryptology Policy Statements

- Digital Forensics Policy

- Cryptography Export License Form - NIST SP 800111 - Wasserman Arrangement

- Digital Evidence Procedure

- Cyber Liability Insurance Policy Statements - Cyber Liability Insurance Policy - Claims Procedure - Coverage Assessment Checklist

- Data-at-Rest Encryption Software - Data-in-Transit Encryption Software

- Forensics Toolkit

- NA

- Federal Rules - iKeepSafe of Civil Framework Procedure - NIST SP (FRCP) Manual 800-53 - Federal Rules Appendix J of Criminal Privacy Procedure Controls - Data Breach Incident Response Plan - Policy - eDiscovery Compliance Software Scanning - SharePoint Software - Westlaw or Lexis/Nexis - RSS Feeds

About the Author Tari Schreider, SSCP, CISM, C|CISO, ITIL Foundation, is a distinguished technologist and nationally known expert in the fields of cybersecurity, risk management, and disaster recovery. Co-founder of Prescriptive Risk Solutions, LLC (PRS), he is former Chief Security Architect at Hewlett-Packard Enterprise. PRS designs custom solutions for companies with challenging legal and regulatory compliance issues that need to be solved quickly. PRS maintains one of the world’s largest databases of security and disaster recovery incidents with nearly 12,000 incidents covering 10.6 billion compromised records. Mr. Schreider has designed and implemented complex cybersecurity programs including a red team penetration testing program for one of the largest oil and gas companies in the world, an NERC CIP compliance program for one of Canada’s largest electric utility companies, and an integrated security control management program for one of the US’ largest 911 systems. He has advised organizations from China to India on how to improve their cybersecurity programs through his Information Security Service Management – Reference Model (ISSM-RM). Schreider implemented a virtual Security Operations Center network with vSOCs located in the US, Brazil, Italy, Japan, Sweden, and the US. He was also responsible for creating the first Information Sharing and Analysis Center in collaboration with the Information Technology Association of America (IT-ISCA). His earliest disaster recovery experiences included assisting companies affected by the 1992 Los Angeles Rodney King Riots, and 1993 World Trade Center bombing. His unique experience came during the 1990 Gulf War, helping a New York financial institution recover after becoming separated from its data center in Kuwait.

Schreider has appeared on ABC News, CNN, CNBC, NPR, and has had numerous articles printed in security and business magazines including Business Week, New York Times, SC Magazine, The Wall Street Journal, and many others. He studied Criminal Justice at the College of Social & Behavioral Sciences at the University of Phoenix and holds the following certifications in security and disaster recovery: • • • • • • •

American College of Forensic Examiners, CHS-III Certified CISO (C|CISO) Certified Information Security Manager (CISM) ITIL™ v3 Foundation Certified System Security Certified Practitioner (SSCP) The Business Continuity Institute, MBCI University of Richmond – Master Certified Recovery Planner (MCRP)

Credits Kristen Noakes-Fry, ABCI, is Executive Editor at Rothstein Publishing. Previously, she was a Research Director, Information Security and Risk Group, for Gartner, Inc.; Associate Editor at Datapro (McGraw-Hill), where she was responsible for Datapro Reports on Information Security; and Associate Professor of English at Atlantic Cape College in New Jersey. She holds an M.A. from New York University and a B.A. from Russell Sage College.

Cover Design and Graphics:

Sheila Kwiatek, Flower Grafix

eBook Design & Processing:

Donna Luther, Metadata Prime

Copy Editing:

Nancy M. Warner

Publishing & Marketing Intern:

Sarah Patton

Philip Jan Rothstein, FBCI, is President of Rothstein Associates Inc., a management consultancy he founded in 1984 as a pioneer in the disciplines of Business Continuity and Disaster Recovery. He is also the Executive Publisher of Rothstein Publishing.

Rothstein Publishing is your premier source of books and learning materials about Business Resilience, including Crisis Management, Business Continuity, Disaster Recovery, Emergency Management, Security, and Risk Management. Our industry-leading authors provide current, actionable knowledge, solutions, and tools you can put in practice immediately. Rothstein Publishing remains true to the decades-long commitment of Rothstein Associates, which is to prepare you and your organization to protect, preserve, and recover what is most important: your people, facilities, assets, and reputation.

New eBooks from Rothstein eBook Collection A ROTHSTEIN PUUBLISHING COLLECTION eBOOK

Th M G id t

’

Essentials for Today o ’ss Business

Ta i S h id Kristen Noakes-F ry, ABCI, Editor

The Manager’s Guide to Cybersecurity Law: Essentials for Today's Business (A Rothstein Publishing Collection eBook) 2016 ISBN: 978-1-944480-30-1 (EPUB) ISBN: 978-1-944480-31-8 (PDF) 168 pages https://www.rothstein.com/product/guide-to-cybersecurity-law/ https://www.amazon.com/dp/B01MTFBCRO/ref=rdr_kindle_ext_tmb

In today’s litigious business world, cyber-related matters could land you in court. As a computer security professional, you are protecting your data, but are you protecting your company? While you know industry standards and regulations, you may not be a legal expert. Fortunately, in a few hours of reading, rather than months of classroom study. A ROTHSTEIN PU UBLISHING COLLECTION eBOOK

Th Mana The M ager’s Guide id ttoo g ’ G

Busineess

y Exercises

Teestingg Your Plan

Jim Burtl Ji B tllles es Kristen NoakesN F ry, ABCI, Editor

The Manager’s Guide to Business Continuity Exercises: Testing Your Plan (A Rothstein Publishing Collection eBook) 2016 ISBN: 978-1-944480-32-5 (EPUB) ISBN: 978-1-944480-33-2 (PDF) 100 pages https://www.rothstein.com/product/business-continuity-exercises-testing/ https://www.amazon.com/Managers-Guide-Business-Continuity-Exercisesebook/dp/B01M9INLGE/1&keywords=9781944480264

Your challenge is to maintain a good and effective plan in the face of changing circumstances and limited budgets. If your situation is like that in most companies, you really cannot depend on the results of last year’s test or exercise of the plan. A ROTHSTEIN PUUBLISHING COLLECTION eBOOK

The Manaager’s Guidee to

Essentials of RRisk-Based Securityy

Brian J. Allen, A Esq. Rachelle Loyear Kristen Noakes-F ry, ABCI, Editor

The Manager’s Guide to Enterprise Security Risk Management: Essentials of Risk-Based Security (A Rothstein Publishing Collection eBook) 2016 ISBN: 978-1-944480-24-0 (EPUB) ISBN: 978-1-944480-25-7 (PDF) 138 pages https://www.rothstein.com/product/enterprise-security-risk-management/ https://www.amazon.com/Managers-Guide-Enterprise-Security-Managementebook/dp/B01MXMVGY7/

Is security management changing so fast that you can’t keep up? Perhaps it seems like those traditional “best practices” in security no longer work? One answer might be that you need better best practices!

www.facebook.com/RothsteinPublishing www.linkedin.com/company/rothsteinpublishing

Brookfield, Connecticut USA www.rothstein.com

www.twitter.com/rothsteinpub

New eBooks from Rothstein eBook Collection The Manager's Guide to Handling the Media in a Crisis: Doing & Saying the Right Thing When it Matters Most

A ROTHSTEIN PUUBLISHING COLLECTION eBOOK

Th M G id i t

’

(A Rothstein Publishing Collection eBook) 2016 ISBN: 978-1-944480-28-8 (EPUB) ISBN: 978-1-944480-29-5 (PDF) 120 pages

Saying & Doingg the Right Thing When It Matters Most

J

E L k

ki

Kristen Noakes-F ry, ABCI, Editor

https://www.rothstein.com/product/handling-media-crisis/ https://www.amazon.com/Managers-Guide-Handling-Media-Crisis-ebook/dp/B01LZ0BBHT/

Attracting media attention is surprisingly easy — you just want it to be the right kind! If an event causes the phone to ring and TV cameras to appear in your lobby, you need confidence that the people who happen to be at your worksite that day are prepared. A ROTHSTEIN PUBLISHING COLLECTION eBOOK

The Ma Th Manager’s g ’s Guide G uide id to to T , , and Innsurance Essentials for Today’s Business

David D id J. J Smith S ith Mark M arkk D. D S Sili Silinsk ky Silinsky Kristen Noakes-F ry, ABCI, Editor

The Manager’s Guide to Terrorism, Risk, &Insurance: Essentials for Today’s Business (A Rothstein Publishing Collection eBook) 2016 ISBN: 978-1-944480-26-4 (EPUB) ISBN: 978-1-944480-27-1 (PDF) 120 pages https://www.rothstein.com/product/guide-terrorism-risk-insurance/ https://www.amazon.com/Manager%E2%80%99s-Guide-Terrorism-Risk-Insuranceebook/dp/B01M1JR3IQ

As a manager, you’re aware of terrorist acts, are considering the risks, but sense that you need more background. How might terrorism occur?

A ROTHSTEIN PUBLISHING COLLEECTION eBOOK

Q i kC i i Response Eff ti Actio Effective A tion in i an Emergency E

B

T. Bl th

Kristen Noakes-F ry, ABCI, Editor

The Manager’s Guide to Quick Crisis Response: Effective Action in an Emergency (A Rothstein Publishing Collection eBook) 2016 ISBN: 978-1-944480-23-3 (EPUB) ISBN: 978-1-944480-22-6 (PDF) 117 pages https://www.rothstein.com/product/quick-crisis-response-guide/ https://www.amazon.com/Managers-Guide-Quick-Crisis-Response-ebook/dp/B01JJCVULM/

Avoid being “blindsided” by an unexpected emergency or crisis in the workplace – violence, natural disaster, or worse!

www.facebook.com/RothsteinPublishing www.linkedin.com/company/rothsteinpublishing

Brookfield, Connecticut USA www.rothstein.com

www.twitter.com/rothsteinpub

New eBooks from Rothstein eBook Collection A ROTHSTEIN PUBLISHING COLLEECTION eBOOK

I t d ti t Getting Everybbody Out When it Coounts

Ji

B tll

Kristen Noakes Noakes-F ry, ABCI, Editor

Introduction to Emergency Evacuation: Getting Everybody Out When it Counts (A Rothstein Publishing Collection eBook) 2016

ISBN: 978-1-944480-14-1 EPUB) ISBN: 978-1-944480-15-8 (PDF) 120 pages https://www.rothstein.com/product/emergency-evacuation/ https://www.amazon.com/gp/product/B01IWMC1BS/

When it’s not just a drill, you need to get it right the first time. If an emergency alert sounds, are you ready to take charge and get everyone out of the office, theater, classroom, or store safely?

A ROTHSTEIN PUBLISHING COLLEECTION eBOOK

The Ma Th Manager’s g ’s G uide id to t Bullies Guide in thee p e Coping with Emmotional Terrorists

VVali li Haw H wkins ki Mitchel kins Mit h lll Mitche Kristen NNoakes-F ry, ABCI, Editor

The Manager’s Guide to Bullies in the Workplace: Coping with Emotional Terrorists (A Rothstein Publishing Collection eBook) 2016

ISBN: 978-1-944480-12-7 (EPUB) ISBN: 978-1-944480-13-4 (PDF) 120 pages https://www.rothstein.com/product/bullies-workplace-emotional-terrorists/ https://www.amazon.com/Managers-Guide-Bullies-Workplace-Terrorists-ebook/dp/B01IL690ZA/

As a manager, you can usually handle disruptive employees. But sometimes, their emotional states foster workplace tension, even making them a danger to others.

A ROTHSTEIN PUBLISHING COLLEECTION eBOOK

C ti & M i t i i A d

Hil

Kristen NNoakes-F ry, ABCI, Editor

Creating & Maintaining Resilient Supply Chains (A Rothstein Publishing Collection eBook) 2016

ISBN: 978-1-944480-07-3 (EPUB) ISBN: 978-1-944480-08-0 (PDF) 120 pages https://www.rothstein.com/product/resilient-supply-chains/ https://www.amazon.com/Maintaining-Resilient-Rothstein-Publishing-Collectionebook/dp/B01HSNC2FC/

Will your supply chain survive the twists and turns of the global economy? Can it deliver mission-critical supplies and services in the face of disaster or other business interruption?

www.facebook.com/RothsteinPublishing www.linkedin.com/company/rothsteinpublishing

Brookfield, Connecticut USA www.rothsteinpublishing.com

www.twitter.com/rothsteinpub

DO THE MATH

Combine more than 30 expert authors, with 1,000 years of experience, and countless problems solved for companies like yours…

{

Business Continuity Management: Global Best Practices, 4th Edition by Andrew Hiles ©2014 494 pages + 200 pages of free downloads, illustrations, glossary, index, and instructional teaching materials.

Your definitive, current, comprehensive Business Continuity textbook and reference – based on international standards and grounded in best practices.

ISBN 978-1-931332-35-4, paperback ISBN 978-1-931332-76-7, eBook ISBN 978-1-931332-83-5, ePub

Root Cause Analysis Handbook Third Edition by ABS Consulting ©2008 320 pages, plus accompanying downloads, glossary. ISBN 978-1-931332-51-4, paperback ISBN 978-1-931332-72-9. eBook ISBN 978-1-931332-82-8, ePub

{

Complete all-in-one package for root cause analysis, including 600+ pages of book and downloads, color-coded, 17" x 22" Root Cause Map™, and licensed access to online resources.

Be prepared! Follow this tested six-phase method to create a plan that you can activate at a moment’s notice – to get everyone to safety from any workplace.

{ Emergency Evacuation Planning for Your Workplace by Jim Burtles ©2013 340 pages + 300 pages of free downloads, illustrations, glossary, index, and instructional teaching materials. ISBN 978-1-931332-56-9, casebound ISBN 978-1-931332-67-5, eBook ISBN 978-1-931332-85-9, ePub

…and you have Rothstein Publishing – books with the answers you’re looking for. Business Continuity and Risk Management Essentials of Organizational Resilience by Kurt J. Engmann and Douglas M. Henderson ©2012 370 pages, illustrations, glossary, index, and instructional teaching materials. ISBN 978-1-931332-54-5, paperback ISBN 978-1-931332-73-6, eBook

Ground breaking text book combines Risk Management and Business Continuity. Flexible format adapts to your needs – today and tomorrow.

ISBN 978-1-931332-89-7, ePub

{

Are you are a Business Continuity Manager or training for the job? Are you ready to keep the business up and running in the face of emergencies? Then this classic is what you need.

{ Principles and Practice of Business Continuity Tools and Techniques 2nd Edition by Jim Burtles ©2016 464 pages, slides, instructional support materials, and downloadable toolkit. ISBN 978-1-931332-941, paperback ISBN 978-1-931332-965, eBook ISBN 978-1-931332-958, ePub

Since 1989, Rothstein Publishing has been your premier source of current, actionable Organizational Resilience knowledge, solutions, and tools, authored by industry-leading experts, covering Business Continuity, Risk, Crisis Management, and more. Rothstein Publishing is a division of Rothstein Associates Inc., an international management consultancy founded in 1984 by Philip Jan Rothstein FBCI. Rothstein publications are distributed worldwide through book retailers and wholesalers and via eBook databases, including EBSCOHost, ebrary/EBL, Books24x7, Slicebooks, MyiLibrary, VItalSource, and iGroup.

www.rothsteinpublishing.com www.rothstein.com [email protected]

203.740.7400

4 Arapaho Rd., Brookfield, CT 06804-3104 USA facebook.com/RothsteinPublishing linkedin.com/company/rothsteinpublishing twitter.com/RothsteinPub

BCI_burtles ad outlines.indd 1

18/08/2012 22:19