3 Legal Points for InfoSec Teams to Consider Before an Incident

secureworldAs a teaser to my presentation at SecureWorld – Dallas last week, I did a brief interview with SecureWorld and talked about three of the points I would make in my lunch keynote, The Legal Case for Cybersecurity. If you’re going to SecureWorld – Denver next week, join me for the lunch keynote on Thursday (11/2) as I will again be making The Legal Case for Cybersecurity.

In the SecureWorld article, Why InfoSec Teams Need to Think with a ‘Legal’ Mind, Before an Incident, we discuss these three points:

  1. There are three general types of “cyber laws” that infosec needs to understand;
  2. Sadly, far too many companies do not take cybersecurity seriously until after they have had a significant incident; and
  3. Companies’ need for implementing and continuously maturing a cyber risk management program (such as my CyberGard).

 

New York Cybersecurity Regulations Delayed, Being Revised

New York Skyline at Twilight Hour
The New York Skyline at Twilight Hour

Photo Credit: Photo Credit: Marco Verch
Licensed under Creative Commons Attribution 2.0 (no changes were made to the image) https://creativecommons.org/licenses/by/2.0/deed.en

The New York Department of Financial Services has pushed back the effective date of its Cybersecurity Regulations from January 1, 2017 to March 1, 2017. This is to give the NYDFS time to significantly revise the proposed Cybersecurity Regulations initially released for comment in September 2016, which created quite a bit of controversy. The revised regulations are to be published on December 28, 2016.

The NYDFS signaled this change two days after a hearing in Albany, New York in which New York bankers voiced their concerns to New York State lawmakers. While the NYDFS has not elaborated on what is being re-written, the following are some of the key concerns that were voiced to lawmakers in the hearing:

  1. It would cost too much.
  2. Banks shouldn’t be forced to hire CISOs.
  3. The rules are too tough.
  4. New York’s regulation is too different from the federal rules of FFIEC, Federal Reserve, the OCC, the FDIC and even NIST.
  5. The regulation is “one size fits all.”
  6. It calls for too much incident reporting.
  7. The extra regulation and reporting could create an impression that New York banks are less secure than others.

These points are explained more thoroughly in the American Banker source article New York Rewriting Cybersecurity Rules After Banker Pushback.

Here are two articles I have written for SecureWorld that discuss the proposed NYDFS Cybersecurity Regulations and I will also address the revisions in the near future:

______________________

Shawn Tuma (@shawnetuma) is a business lawyer with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

Ashley Madison & FTC Settle Data Breach Case – Does Your Company Have These Cybersecurity Shortcomings?

Ashley Madison and the FTC announced a settlement of the investigation into the breach data breach of 36 million AshleyMadison.com users that was being pursued by the FTC and several states’ attorneys general. The cost to Ashley Madison is substantial:

  • a total judgment of $17.5 million (though only $1.6 million is currently due because of inability to pay the remainder, thus, that amount is suspended),
  • required corrective measures, including implementing a comprehensive cybersecurity program, and
  • required cybersecurity assessments by a “qualified, objective, independent third-party professional” every two years.

Business insecurity leaders would be well advised to pay close attention to the specific shortcomings that the FTC found with Ashley Madison’s cyber security practices:

  • no written information security policy,
  • no reasonable access controls,
  • inadequate security training of employees,
  • no knowledge of whether third-party service providers were using reasonable security measures, and
  • no measures to monitor the effectiveness of their system security.

After looking at the foregoing list, ask yourself this question: “does my company have any of these same problems?” If your answer is “Yes,” “Maybe,” or “I don’t know,” then your company could easily find itself in the same position as Ashley Madison being pursued by the FTC should it have a data breach.

The FTC also listed the following issues by Ashley Madison as giving rise to the investigation:

  • the defendants misrepresented that they had taken reasonable steps to ensure AshleyMadison.com was secure,
  • that they had received a “Trusted Security Award”,
  • that they would delete all of the information of consumers who utilized their Full Delete service, and
  • engaged in unfair security practices by failing to take reasonable steps to prevent unauthorized access to personal information on their network, causing substantial consumer harm.

Here is the full FTC announcement of the settlement.

______________________

Shawn Tuma (@shawnetuma) is a business lawyer with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

Cybersecurity Legal Issues: What you really need to know (slides)

Shawn Tuma delivered the presentation Cybersecurity Legal Issues: What you really need to know at a Cybersecurity Summit sponsored by the Tarleton State University School of Criminology, Criminal Justice, and Strategic Studies’ Institute for Homeland Security, Cybercrime and International Criminal Justice. The presentation was on September 13, 2016 at the George Bush Institue. The following are the slides from Tuma’s presentation — a video of the presentation will be posted soon!

Continue reading “Cybersecurity Legal Issues: What you really need to know (slides)”

Computer Use Policies – Are Your Company’s Illegal According to the NLRB?

4c00b10767cf8a5c15a4cde1b4c4f0a4_f120The National Labor Relations Board (NLRB) has continued its assault on businesses and their ability to legitimately protect their computer systems and information against unauthorized non-business use by employees.

A few weeks ago, I wrote 3 Important Points on Computer Policies in which I stressed (1) why your company must have them but (2) that such policy must comply with the NLRB’s Purple Communications case. The NLRB has struck again.

On May 3, 2016, an NLRB Administrative Law Judge struck down as overbroad a Computer Use Policy in Ceasars Entertainment Corporation d/b/a Rio All-Suites Hotel and Casino (NLRB Docket Sheet). The policy, titled Use of Company Systems, Equipment, and Resources, was part of the company handbook and stated that computer resources may not be used to do several things that were listed out and is standard in many similar policies. The NLRB decision (Decision) found that prohibitions against the following was illegal:

  • Share confidential information with the general public, including discussing the company, its financial results or prospects, or the performance or value of company stock by using an internet message board to post any message, in whole or in part, or by engaging in an internet or online chatroom
  • Convey or display anything fraudulent, pornographic, abusive, profane, offensive, libelous or slanderous
  • Send chain letters or other forms of non-business information
  • Solicit for personal gain or advancement of personal views
  • Violate rules or policies of the Company

The NLRB found that prohibiting the conduct mentioned above made the policy overbroad and could effectively limit employees’ use of their employer’s email system to engage in Section 7 communications during nonworking time. Because of that, it found the employer has engaged in an unfair labor practice prohibited by the National Labor Relations Act.

Welcome to Wonderland.

______________________

Shawn Tuma (@shawnetuma) is a business lawyer with an internationally recognized reputation in cybersecurity, computer fraud and data privacy law. He is a Cybersecurity & Data Protection Partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

3 Important Points on Computer Use Policies

IMPORTANT POINT #1: YOUR BUSINESS MUST HAVE A COMPUTER USE POLICY IN PLACE

Computer Use Policies (or Acceptable Use Policies, as they are often referred to) are must haves for today’s businesses. Such policies are a foundational component in how a business creates a culture of security with its workforce by establishing expectations on what are and are not permissible ways to use and safeguard the businesses’ digital assets, as well as third parties’ information that it may be holding. Continue reading “3 Important Points on Computer Use Policies”

3 Important Questions the State Attorneys General Will Ask Your Company Following A Data Breach

shutterstock_67743352

In an earlier blog post I wrote about how

[w]hen your company has a data breach, these are the top 3 questions that you will be required to answer:

  1. How did the breach happen?
  2. What steps did your company take before the breach to protect the data and keep it from happening?
  3. What steps is your company taking after the breach to ensure this does not happen again?

These 3 questions serve as the framework for how you need to think about your company’s data security policies, procedures, and systems. (3 Important Questions Your Company Must Answer After A Data Breach | Shawn E. Tuma).

One of the main sources of these questions will be the Attorneys General of the states whose residents’ information was compromised in the data breach. In helping clients respond to data breach events in recent years, I have seen a tremendous increase in the level of interest and depth of inquiry from the AG’s offices within the last year and I expect this trend to continue.

This hunch seems to have some support from a recent article in Time discussing the response to the recent eBay data breach:

Attorneys General in three U.S. states along with European officials are investigating a massive data breach at eBay which may have compromised more than 100 million users’ passwords.

“The magnitude of the reported eBay data breach could be of historic proportions, and my office is part of a group of other attorneys general in the country investigating the matter,” said Florida Attorney General Pam Bondi in a statement Thursday.

The Federal Trade Commission and Attorneys General in Illinois and Connecticut have also vowed to conduct a probe into the incident.

“My office will be looking into the circumstances surrounding this breach as well as the steps eBay is taking to prevent any future incidents,” said Connecticut Attorney General Jepsen in a statement Thursday. “However, the most important step for consumers to take right now is to change their password and to choose a strong, unique password that is not easily guessed.”

(via Investigators Target eBay Over Massive Data Breach)

At this point, the article only mentions the AGs from 3 states — but my hunch tells me there will be a lot more involved before the dust has settled. What do you think?

______________________

Shawn Tuma (@shawnetuma) is a business lawyer with an internationally recognized reputation in cybersecurity, computer fraud and data privacy law. He is a Cybersecurity & Data Privacy Partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

Here is a “Computer Fraud” Case that is NOT Covered by the Computer Fraud and Abuse Act!

What is a CFAA "access"?
©2011 Braydon Fuller

Believe it or not, there really can be a case of “computer fraud” that is NOT covered by the Computer Fraud and Abuse Act (CFAA).

Surprised?

Let me explain.

The CFAA is an “access” crime that requires there to be an unlawful “access” to a computer by either accessing a computer “without authorization” or “exceed[ing] authorized access.” An access in this context is limited to accessing the computer in its informational capacity such as logging in or viewing information stored on the computer, not a physical access opening up the box with a screwdriver and removing its processor or hard drive. (see p. 172) Now, if the hard drive is physically removed but the information stored on the hard drive is later examined, the latter could very well be a CFAA violation but the former is not.

Got it?

There is a good example of this from the recent news. A federal court jury in Houston recently convicted a man of conspiracy to defraud Hewlett-Packard of roughly $14 million. The way he did it was by fraudulently using an HP equipment discount reserved for large-volume purchasers to purchase computers for others and divert them for resale.

This was a literal case of “computer fraud” and he deserved everything he got — but it was not a violation of the CFAA because there was no unlawful informational access to a computer even though the computers themselves were fraudulently obtained and resold.

Make sense?

Now think about this scenario:

  • The case was brought in Houston, Texas, which is in the Fifth Circuit — so let’s assume Fifth Circuit CFAA jurisprudence applies.
  • What if he was an employee or contractor of HP, using his HP login credentials and access to the HP computer system?
  • What if HP had a policy (that he had signed) that expressly limited his authorization to use HP’s computer system and information therein for activities that were in the furtherance of HP’s legitimate business interests and prohibited him from using it for activities that were detrimental to its business interests?
  • What if he used his access to HP’s computer system to orchestrate this fraud?
  • What if he used his access to HP’s computer system to obtain the information he used in order to orchestrate this fraud?
  • What if HP spent more than $5,000 to investigate or remediate his activities?

What do you think now? Would HP have a CFAA civil case against him?

If you want a hint, read this post: Employment Agreement Restrictions Determined Whether Employees Exceeded Authorized Access Under Computer Fraud and Abuse Act

Read more about the underlying case involving HP: Man Convicted In HP Computer Fraud Sales Scheme « CBS Houston.

 


About the author

Shawn Tuma is a lawyer who is experienced in advising clients on digital business risk which includes complex digital information law and intellectual property issues. This includes things such as trade secrets litigation and misappropriation of trade secrets (under common law and the Texas Uniform Trade Secrets Act), unfair competition, and cyber crimes such as the Computer Fraud and Abuse Act; helping companies with data security issues from assessing their data security strengths and vulnerabilities, helping them implement policies and procedures for better securing their data, preparing data breach incident response plans, leading them through responses to a data breach, and litigating disputes that have arisen from data breaches. Shawn is a partner at BrittonTuma, a boutique business law firm with offices near the border of Frisco and Plano, Texas which is located minutes from the District Courts of Collin County, Texas and the Plano Court of the United States District Court, Eastern District of Texas. He represents clients in lawsuits across the Dallas / Fort Worth Metroplex including state and federal courts in Collin County, Denton County, Dallas County, and Tarrant County, which are all courts in which he regularly handles cases (as well as throughout the nation pro hac vice). Tuma regularly serves as a consultant to other lawyers on issues within his area of expertise and also serves as local counsel for attorneys with cases in the District Courts of Collin County, Texas, the United States District Court, Eastern District of Texas, and the United States District Court, Northern District of Texas.

3 Important Questions Your Company Must Answer After A Data Breach

shutterstock_67743352Riddle: What has sensitive data, is the target of cyber criminals, and will (almost certainly) have a data breach?

Answer: YOUR COMPANY!

When your company has a data breach, these are the top 3 questions that you will be required to answer:

  1. How did the breach happen?
  2. What steps did your company take before the breach to protect the data and keep it from happening?
  3. What steps is your company taking after the breach to ensure this does not happen again?

These 3 questions serve as the framework for how you need to think about your company’s data security policies, procedures, and systems. A great response to the second question is to show that your company had — both for itself and third parties with which it does business — adequate security policies, procedures, and systems that are well documented and that they were audited. This is the focus of a blog post I co-authored with Scott Geye that was recently published on Whitley Penn’s In the Black blog.

Here is a brief excerpt:

 

If a company suffers a data breach that results in the compromise of PII, the company is then required to follow applicable breach notification rules and disclose the breach to, in most cases, certain governmental bodies, agencies, industry groups, and the consumers whose information was compromised. When this happens, the first thing many of those will ask is “how did the breach happen?” and the second thing they will ask is “what steps did the company take before the breach to protect the data and keep this from happening?”

When the company has been proactive and prepared for this, it can minimize the potential enforcement actions that will come against it, if it can show two things: First, that it had strong data security policies and procedures in place. Second, that its data security policies and procedures had been properly audited. The message that these two steps sends is that the company had taken its data security obligations seriously and that it was diligent in following up to ensure that it had done so.  Something as simple as this can make a very big difference when others, such as those governmental bodies, agencies, industry groups, or even a jury, look back with the 20/20 vision of hindsight and decide if the company should be penalized because of the data breach.

*   *   *

The framework for reporting on internal controls for data privacy at service organizations has already been established.  You may be familiar with Service Organization Control (“SOC”) reports.  SOC reports include both SOC 1, which is intended for reporting on service organization controls over financial reporting, and SOC 2, which are intending for reporting on service organization controls to meet the Trust Services Principles Criteria.  The Trust Services Principles Criteria has five defined principles, Security, Availability, Confidentiality, Processing Integrity, and Privacy.  Currently, the demand for SOC 2 Privacy reports has been minimal, but the demand will likely increase as more organization seeks to gain assurance over their service organizations’ compliance with the growing number of data privacy regulations.

Read more here: The Perfect Storm for Data Privacy Regulations « In The Black – A blog from Whitley Penn, LLP – CPAs and Professional Consultants.

 ______________________

Shawn Tuma (@shawnetuma) is a business lawyer with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

Is Your Business Following the 3 Steps the FTC is Requiring for Using Data Service Providers?

FTCThe Federal Trade Commission now requires businesses to take the following 3 steps when contracting with data service providers: Investigate. Obligate. Verify.

Is your business following these steps?

  1. Investigate. Businesses are required to investigate by exercising due diligence before hiring data service providers.
  2. Obligate. Businesses are required to obligate their data service providers to adhere to the appropriate level of data security protections through their contractual agreements with the provider.
  3. Verify. Businesses are required to take steps to verify that the data service providers are adequately protecting data as required by the contractual standards.

These 3 steps were identified and explained by Daniel Solove in Duties When Contracting with Data Service Providers in which he explains how the FTC developed this new standard of care by observing the norms and standards that have developed in the law of privacy and data security in general and now essentially giving them the effect of law. He discerns these standards from, among other things, the recent FTC case In the Matter of GMR Transcription Services, Inc. (Jan. 31, 2014).

Solve also makes the following observations:

  • The standards could lead to an FTC enforcement action because of poor data service provider management alone, even without a data breach.
  • All companies need to take a closer look at their own data service provider management practices.
  • Virtually all businesses fall within the FTC’s regulatory authority and should follow these guidelines.
  • Even organizations that are not under the FTC regulatory authority should still follow these guidelines as the standard of care when it comes to contracting with data service providers.