What is “reasonable cybersecurity” and how do courts view it? (SecureWorld interviews)

What is “reasonable cybersecurity” and how do courts view “reasonable cybersecurity”?

See KnowB4’s discussion of these interviews

These are two excellent questions that I was asked and I answered, as succinctly as I could, in two short interviews with SecureWorld. Tell me what you think about my answers.

What Is Reasonable Cybersecurity? – SecureWorld article

How Courts & Attorneys View ‘Reasonable Cybersecurity’ in 2018 – SecureWorld article

Here are the videos.

 

______________________

Shawn Tuma (@shawnetuma) is an attorney with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Attorney at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

Uber’s CISO Makes Case for Uniform National Data Breach Notification Law

UberUber’s Chief Information Security Officer (CISO), John Flynn, made a case for a uniform national data breach notification law in his testimony to members of Congress (see penultimate paragraph of full written testimony):

I would like to conclude by stating that we strongly support a unified, national approach to data security and breach standards. We are proactively engaged in the many conversations in both the technical and policy communities to help identify what the critical components of federal data breach legislation should be, and are pleased to see this robust conversation taking place with various Members of Congress and your staff. We welcome the opportunity to be at the table to help all stakeholders understand the best practices.

I agree!

NTSC LogoIf you are a CISO of a company and are interested in participating in this discussion, please considering joining the National Technology Security Coalition (NTSC) in this effort to get an appropriate uniform federal data breach notification law passed. (Disclaimer, I am a member of the NTSC’s Policy Counsel and will be assisting in drafting proposed legislation.)

See these related posts:

______________________

Shawn Tuma (@shawnetuma) is an attorney with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Attorney at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

3 Legal Points for InfoSec Teams to Consider Before an Incident

secureworldAs a teaser to my presentation at SecureWorld – Dallas last week, I did a brief interview with SecureWorld and talked about three of the points I would make in my lunch keynote, The Legal Case for Cybersecurity. If you’re going to SecureWorld – Denver next week, join me for the lunch keynote on Thursday (11/2) as I will again be making The Legal Case for Cybersecurity.

In the SecureWorld article, Why InfoSec Teams Need to Think with a ‘Legal’ Mind, Before an Incident, we discuss these three points:

  1. There are three general types of “cyber laws” that infosec needs to understand;
  2. Sadly, far too many companies do not take cybersecurity seriously until after they have had a significant incident; and
  3. Companies’ need for implementing and continuously maturing a cyber risk management program (such as my CyberGard).

 

What do we in the United States really want from our cyber laws?

In my newsfeed are articles in prominent publications discussing the problems with the federal Computer Fraud and Abuse Act from very different perspectives.

www.businesscyberrisk.comIn the “the CFAA is dangerous for security researchers” corner we have White Hat Hackers and the Internet of Bodies, in Law360, discussing how precarious the CFAA (and presumably, the state hacking laws such as Texas’ Breach of Computer Security / Harmful Access by Computer laws) and Digital Millenium Copyright Act can be for security researchers.

In the “the CFAA prevents companies from defending themselves” corner we have New Bill Would Allow Hacking Victims to ‘Hack Back’, in The Hill, discussing The Active Cyber Defense Certainty Act (ACDC). ACDC (what a great acronym!) would allow companies more latitude in defending themselves against those intruding into their networks by permitting them to use techniques described as “active defense,” under certain conditions, though not permitting companies to counterattack.

Now, instead of thinking about these two measures in isolation, think of them together. What if we were to get both of them passed into law? What if we got one or the other?

This reminds me of a piece I wrote about the CFAA and the broader national policy discussion a few years ago, Hunter Moore or Aaron Swartz: Do we hate the CFAA? Do we love the CFAA? Do we even have a clue? In that piece I stated,

The CFAA has become a national lightening rod with many loving it, many hating it, and far too many loving it and hating it at the same time, without even realizing it. Before we go any further, however, consider this quote:

The CFAA was tailor-made to punish precisely the kind of behavior that [guess who?] is charged with: breaking into other people’s accounts and disseminating their … information.

Quick! Who is that referring to? Hunter Moore? Edward Snowden? Aaron Swartz? Sandra Teague?

I used this overly simplified example to try and make a point that, philosophically, we as a nation need to stop looking at each of these cases and laws in isolation and need to look at the bigger picture of how it all fits together. Picking and choosing based upon our own personal likes and dislikes due to the emotional tug of the facts is no way to develop, maintain, and mature a body of law on any subject matter — much less one as complicated as cyber.

Take this discussion and add into the mix new security-based laws such as NYDFS and then mix in the 48 states + HIPAA, GLBA, etc. breach notification laws, the conundrum of cybersecurity law schizophrenia, and then see what we have to work with. Does it all make sense?

What do you think? Where do we begin? Who needs to be involved in working this out? What are the first questions we need to ask?

IoT Cybersecurity Improvement Act of 2017 proposed by Senate Cybersecurity Caucus

On August 1, 2017, the Senate Cybersecurity Caucus introduced the “Internet of Things (IoT) Cybersecurity Improvement Act of 2017,” bi-partisan legislation focused on establishing minimum security requirements for the federal procurement of Internet connected devices (#IoT). Continue reading “IoT Cybersecurity Improvement Act of 2017 proposed by Senate Cybersecurity Caucus”