Practical Lessons Learned: An Overview of
Cybersecurity Law & Information Governance
Howard R. Feldman
S. Keith Moulsdale
hfeldman@wtplaw.com kmoulsdale@wtplaw.com
410.347.8793 410.347.8721
Baltimore Chapter
What we’re trying to protect.
Privacy Rights
PII, Identity, Financial Matters, Healthcare, Children, Online Behaviors, Employee Behaviors, Behaviors in our House/Private Space, etc.
Safety - of children, and from violence, stalking and harassment
Intellectual Property
Trade Secrets: formulae; flow charts; processes; novel ideas; financials
Copyrights: music; videos; photos of private people; photos of famous people; software code Trademarks: domain name ownership
State Secrets
How to build a nuclear bomb; Communications between embassies; Troop numbers and movements; Satellite positioning and capabilities; How to build a drone
Networks + Infrastructure
Shared: financial systems, phone systems, energy grids Personal: WIFI
Cybersecurity is merely
an aspect of Information Security + Governance
Cybersecurity
(a) technological, social and legal controls (b) implemented by
governments, NGOs, private organizations and individuals
(c) to secure electronic communications and networks - and other
related spaces and things - that store RVA
(d) from manipulation, theft and attack (e) by enemies of the
state, terrorists, hackers, competitors and others. Cybersecurity Law Information Security Law
complying with laws whose purpose or
effect is to protect RVA in an electronic
and physicalworld
Cybersecurity + Information Governance
Pressure Points
Data: Big, Inexpensive + Accessible
Storage volume - plentiful and inexpensive:
o iPhone 4S: 16 - 64 GB o Basic laptop: 320 GB
o Basic desktop computer: 1 TB (1024 GBs) o 4 GB thumb drive: $8.00
o 2 TB external hard drive: $90.00
Capacity of one 4 GB thumb drive ($8)
o 400,000 pages (or 160 boxes) of e-mail files o 260,000 pages of Word documents
“Big Data” Software is here, too.
o Apache Hadoop; NoSQL; FireAMP at SourceFire
Quantity of Global Digital Data - Exabytes
EMC/IDC Digital Universe Study, 2011 (as reported in The Economist –The World in 2012)
Where is the info. you need to protect?
Data lives on computers,
… but lives in other vulnerable places, too.
BUT ALSO on cellulose pulp,
derived mainly from wood, and shaped into 8.5 x 11 sheets. And in strange metal structures with sliding doors.
And in people’s heads and
devices.
AND behind doors, locked and otherwise.
And on laptops, CDs, thumb drives and smart
phones. Which are easily
transportable.
And in off-site storage boxes.
Where are the threats coming from?
Data security threats are not merely electronicIdentity Theft Resource Center – 2011 ITRC Breach Report http://www.idtheftcenter.org/artman2/publish/headlines/ Breaches_2011.shtml
Who are the targets?
Every Company is at Risk Private Companies
Security Companies
Defense Contractors & Consultants
Government Agencies
Financial Institutions
Size + Impact of Breaches
The impact of each breach is growing
Average cost of a U.S. data security breach in 2010
(according to Ponemon Institute studies):
o $7.2 million per breach (up from $6.8 million)
o $214 per record
$318 per record for malicious or criminal acts
$167 per record for negligence or systems failure
Legal Landscape
U.S.
o Jumble of IP, Privacy,
Security + Retention Laws
o Mostly Vertical (Industry
Specific)
U.S. States
o Also a jumble
o Lack of uniformity (e.g., data security breach notice
laws) Foreign & Regional Laws
o Mostly Horizontal
Business Concerns
Operational Needs
Safeguard information, assets and goodwill
Extract value from growing data
Contractual Requirements
Business Continuity
Institutional Memory and Archives
Risk Tolerance
Make Cyber Security
Part of an Information Security + Governance Plan
Security
Breach Response
Records Management + Retention
o Litigation Preparedness
Business Continuity
Computer Usage
Steps to an Information Security + Governance Plan
1. C-Level Buy-in2. Due Diligence
o Records Inventory o Data Map
o Physical Safeguards o Technical Safeguards o Administrative
3. Write the Plan
o consider legal and business concerns
4. Implement the Plan
o focus group testing o Train employees
Lessons Learned
Need to work in multi-disciplinary teams
o Lawyers
o C-level Execs
o CTO
o Consultants who specialize in cybersecurity
Internal IT teams sometimes not equipped to handle
More Lessons Learned
Address information security concerns when negotiating cloud and other vendor contracts:
o Conduct careful due diligence and check references
o Does vendor have its own info. security + governance plan? o Require prompt notice of a possible breach
o Reserve audit and monitoring rights o Indemnification
o Where are the servers?
o If servers are shared, how can the data be deleted? o Are the support staff proximate to the servers/data? o Encryption levels?
Even More Lessons Learned
Don’t forget to consider info. security in connection with:
o M&A transactions
o Insurance Policies
Control your email
Disaster recovery does not mean “keep everything
Responding to Possible Security Breaches
Rushing to disclose a security breach may cause
over-reporting and drive up mistakes and costs
Law enforcement resources are taxed
o be prepared to make your case