3 Legal Points for InfoSec Teams to Consider Before an Incident

secureworldAs a teaser to my presentation at SecureWorld – Dallas last week, I did a brief interview with SecureWorld and talked about three of the points I would make in my lunch keynote, The Legal Case for Cybersecurity. If you’re going to SecureWorld – Denver next week, join me for the lunch keynote on Thursday (11/2) as I will again be making The Legal Case for Cybersecurity.

In the SecureWorld article, Why InfoSec Teams Need to Think with a ‘Legal’ Mind, Before an Incident, we discuss these three points:

  1. There are three general types of “cyber laws” that infosec needs to understand;
  2. Sadly, far too many companies do not take cybersecurity seriously until after they have had a significant incident; and
  3. Companies’ need for implementing and continuously maturing a cyber risk management program (such as my CyberGard).

 

New York Cybersecurity Regulations Delayed, Being Revised

New York Skyline at Twilight Hour
The New York Skyline at Twilight Hour

Photo Credit: Photo Credit: Marco Verch
Licensed under Creative Commons Attribution 2.0 (no changes were made to the image) https://creativecommons.org/licenses/by/2.0/deed.en

The New York Department of Financial Services has pushed back the effective date of its Cybersecurity Regulations from January 1, 2017 to March 1, 2017. This is to give the NYDFS time to significantly revise the proposed Cybersecurity Regulations initially released for comment in September 2016, which created quite a bit of controversy. The revised regulations are to be published on December 28, 2016.

The NYDFS signaled this change two days after a hearing in Albany, New York in which New York bankers voiced their concerns to New York State lawmakers. While the NYDFS has not elaborated on what is being re-written, the following are some of the key concerns that were voiced to lawmakers in the hearing:

  1. It would cost too much.
  2. Banks shouldn’t be forced to hire CISOs.
  3. The rules are too tough.
  4. New York’s regulation is too different from the federal rules of FFIEC, Federal Reserve, the OCC, the FDIC and even NIST.
  5. The regulation is “one size fits all.”
  6. It calls for too much incident reporting.
  7. The extra regulation and reporting could create an impression that New York banks are less secure than others.

These points are explained more thoroughly in the American Banker source article New York Rewriting Cybersecurity Rules After Banker Pushback.

Here are two articles I have written for SecureWorld that discuss the proposed NYDFS Cybersecurity Regulations and I will also address the revisions in the near future:

______________________

Shawn Tuma (@shawnetuma) is a business lawyer with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

Ashley Madison & FTC Settle Data Breach Case – Does Your Company Have These Cybersecurity Shortcomings?

Ashley Madison and the FTC announced a settlement of the investigation into the breach data breach of 36 million AshleyMadison.com users that was being pursued by the FTC and several states’ attorneys general. The cost to Ashley Madison is substantial:

  • a total judgment of $17.5 million (though only $1.6 million is currently due because of inability to pay the remainder, thus, that amount is suspended),
  • required corrective measures, including implementing a comprehensive cybersecurity program, and
  • required cybersecurity assessments by a “qualified, objective, independent third-party professional” every two years.

Business insecurity leaders would be well advised to pay close attention to the specific shortcomings that the FTC found with Ashley Madison’s cyber security practices:

  • no written information security policy,
  • no reasonable access controls,
  • inadequate security training of employees,
  • no knowledge of whether third-party service providers were using reasonable security measures, and
  • no measures to monitor the effectiveness of their system security.

After looking at the foregoing list, ask yourself this question: “does my company have any of these same problems?” If your answer is “Yes,” “Maybe,” or “I don’t know,” then your company could easily find itself in the same position as Ashley Madison being pursued by the FTC should it have a data breach.

The FTC also listed the following issues by Ashley Madison as giving rise to the investigation:

  • the defendants misrepresented that they had taken reasonable steps to ensure AshleyMadison.com was secure,
  • that they had received a “Trusted Security Award”,
  • that they would delete all of the information of consumers who utilized their Full Delete service, and
  • engaged in unfair security practices by failing to take reasonable steps to prevent unauthorized access to personal information on their network, causing substantial consumer harm.

Here is the full FTC announcement of the settlement.

______________________

Shawn Tuma (@shawnetuma) is a business lawyer with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

Cybersecurity Legal Issues: What you really need to know (slides)

Shawn Tuma delivered the presentation Cybersecurity Legal Issues: What you really need to know at a Cybersecurity Summit sponsored by the Tarleton State University School of Criminology, Criminal Justice, and Strategic Studies’ Institute for Homeland Security, Cybercrime and International Criminal Justice. The presentation was on September 13, 2016 at the George Bush Institue. The following are the slides from Tuma’s presentation — a video of the presentation will be posted soon!

Continue reading “Cybersecurity Legal Issues: What you really need to know (slides)”

Computer Use Policies – Are Your Company’s Illegal According to the NLRB?

4c00b10767cf8a5c15a4cde1b4c4f0a4_f120The National Labor Relations Board (NLRB) has continued its assault on businesses and their ability to legitimately protect their computer systems and information against unauthorized non-business use by employees.

A few weeks ago, I wrote 3 Important Points on Computer Policies in which I stressed (1) why your company must have them but (2) that such policy must comply with the NLRB’s Purple Communications case. The NLRB has struck again.

On May 3, 2016, an NLRB Administrative Law Judge struck down as overbroad a Computer Use Policy in Ceasars Entertainment Corporation d/b/a Rio All-Suites Hotel and Casino (NLRB Docket Sheet). The policy, titled Use of Company Systems, Equipment, and Resources, was part of the company handbook and stated that computer resources may not be used to do several things that were listed out and is standard in many similar policies. The NLRB decision (Decision) found that prohibitions against the following was illegal:

  • Share confidential information with the general public, including discussing the company, its financial results or prospects, or the performance or value of company stock by using an internet message board to post any message, in whole or in part, or by engaging in an internet or online chatroom
  • Convey or display anything fraudulent, pornographic, abusive, profane, offensive, libelous or slanderous
  • Send chain letters or other forms of non-business information
  • Solicit for personal gain or advancement of personal views
  • Violate rules or policies of the Company

The NLRB found that prohibiting the conduct mentioned above made the policy overbroad and could effectively limit employees’ use of their employer’s email system to engage in Section 7 communications during nonworking time. Because of that, it found the employer has engaged in an unfair labor practice prohibited by the National Labor Relations Act.

Welcome to Wonderland.

______________________

Shawn Tuma (@shawnetuma) is a business lawyer with an internationally recognized reputation in cybersecurity, computer fraud and data privacy law. He is a Cybersecurity & Data Protection Partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.