Practical Lessons Learned: An Overview of Cybersecurity Law & Information Governance

Practical Lessons Learned: An Overview of

Cybersecurity Law & Information Governance

Howard R. Feldman

S. Keith Moulsdale

hfeldman@wtplaw.com kmoulsdale@wtplaw.com

410.347.8793 410.347.8721

Baltimore Chapter

What we’re trying to protect.

Privacy Rights

PII, Identity, Financial Matters, Healthcare, Children, Online Behaviors, Employee Behaviors, Behaviors in our House/Private Space, etc.

Safety - of children, and from violence, stalking and harassment

Intellectual Property

Trade Secrets: formulae; flow charts; processes; novel ideas; financials

Copyrights: music; videos; photos of private people; photos of famous people; software code Trademarks: domain name ownership

State Secrets

How to build a nuclear bomb; Communications between embassies; Troop numbers and movements; Satellite positioning and capabilities; How to build a drone

Networks + Infrastructure

Shared: financial systems, phone systems, energy grids Personal: WIFI

Cybersecurity is merely

an aspect of Information Security + Governance

Cybersecurity

(a) technological, social and legal controls (b) implemented by

governments, NGOs, private organizations and individuals

(c) to secure electronic communications and networks _{- and other}

related spaces and things - that store RVA

(d) from manipulation, theft and attack (e) by enemies of the

state, terrorists, hackers, competitors and others. Cybersecurity Law Information Security Law

complying with laws whose purpose _or

effect is to protect RVA in an electronic

and physicalworld

Cybersecurity + Information Governance

Pressure Points

Data: Big, Inexpensive + Accessible

 Storage volume - plentiful and inexpensive:

o iPhone 4S: 16 - 64 GB o Basic laptop: 320 GB

o Basic desktop computer: 1 TB (1024 GBs) o 4 GB thumb drive: $8.00

o 2 TB external hard drive: $90.00

 Capacity of one 4 GB thumb drive ($8)

o 400,000 pages (or 160 boxes) of e-mail files o 260,000 pages of Word documents

 “Big Data” Software is here, too.

o Apache Hadoop; NoSQL; FireAMP at SourceFire

Quantity of Global Digital Data - Exabytes

EMC/IDC Digital Universe Study, 2011 (as reported in The Economist –The World in 2012)

Where is the info. you need to protect?

Data lives on computers,

… but lives in other vulnerable places, too.

BUT ALSO on cellulose pulp,

derived mainly from wood, and shaped into 8.5 x 11 sheets. And in strange metal structures with sliding doors.

And in people’s heads and

devices.

AND behind doors, locked and otherwise.

And on laptops, CDs, thumb drives and smart

phones. Which are easily

transportable.

And in off-site storage boxes.

Where are the threats coming from?

Identity Theft Resource Center – 2011 ITRC Breach Report http://www.idtheftcenter.org/artman2/publish/headlines/ Breaches_2011.shtml

Who are the targets?

 Private Companies

 Security Companies

 Defense Contractors & Consultants

 Government Agencies

 Financial Institutions

Size + Impact of Breaches

 The impact of each breach is growing

 Average cost of a U.S. data security breach in 2010

(according to Ponemon Institute studies):

o $7.2 million per breach (up from $6.8 million)

o $214 per record

 $318 per record for malicious or criminal acts

 $167 per record for negligence or systems failure

Legal Landscape

U.S.

o Jumble of IP, Privacy,

Security + Retention Laws

o Mostly Vertical (Industry

Specific)

U.S. States

o Also a jumble

o Lack of uniformity (e.g., data security breach notice

laws) _{Foreign & Regional Laws}

o Mostly Horizontal

Business Concerns

 Operational Needs

 Safeguard information, assets and goodwill

 Extract value from growing data

 Contractual Requirements

 _{Business Continuity}

 Institutional Memory and Archives

 Risk Tolerance

Make Cyber Security

Part of an Information Security + Governance Plan

 Security

 Breach Response

 Records Management + Retention

o Litigation Preparedness

 Business Continuity

 Computer Usage

Steps to an Information Security + Governance Plan

2. Due Diligence

o Records Inventory o Data Map

o Physical Safeguards o Technical Safeguards o Administrative

3. Write the Plan

o consider legal and business concerns

4. Implement the Plan

o focus group testing o Train employees

Lessons Learned

 Need to work in multi-disciplinary teams

o Lawyers

o C-level Execs

o CTO

o Consultants who specialize in cybersecurity

 Internal IT teams sometimes not equipped to handle

More Lessons Learned

 Address information security concerns when negotiating cloud and other vendor contracts:

o Conduct careful due diligence and check references

o Does vendor have its own info. security + governance plan? o Require prompt notice of a possible breach

o Reserve audit and monitoring rights o Indemnification

o Where are the servers?

o If servers are shared, how can the data be deleted? o Are the support staff proximate to the servers/data? o Encryption levels?

Even More Lessons Learned

 Don’t forget to consider info. security in connection with:

o M&A transactions

o Insurance Policies

 _{Control your email}

 Disaster recovery does not mean “keep everything

Responding to Possible Security Breaches

 Rushing to disclose a security breach may cause

over-reporting and drive up mistakes and costs

 Law enforcement resources are taxed

o be prepared to make your case