current definition of cybersecurity due care

© 2015 ROBINS KAPLAN LLP

CURRENT AND EMERGING STANDARDS

OF CYBERSECURITY DUE CARE

RICHARD M. MARTINEZ

PARTNER, CHAIR DATA PRIVACY AND CYBERSECURITY GROUP


BRINING THE PARTIES TOGETHER

Role of IT

Role of Legal

Changing Threat Lanscape

What’s at Stake

Source of Standards


SOURCE OF STANDARDS

Federal Trade Commission

Legislation

Litigation

Industry and Standards Groups

Private-Public Partnerships

Others


L E S S O N S L E A R N E D F R O M T H E F T C

Role of the Federal Trade Commission

Lessons Learned from 50 FTC Cases

Guiding principles gleamed from the FTC’s leading enforcement actions

– 10 principles

– Various Case Illustrations


F T C J U R I S D I C T I O N A F F I R M E D

FTC v. Wyndham Worldwide Corporation.3rd cir opinion

The FTC sued the hospitality company and three subsidiaries, alleging that

data security failures led to three data breaches at Wyndham hotels in less

than two years.

According to the complaint, those failures resulted in millions of dollars of

fraudulent charges on consumers’ credit and debit cards – and the transfer of

hundreds of thousands of consumers’ account information to a website

registered in Russia.


RECENT DECISION BY FTC CHIEF ALJ

Impact of dismissal of FTC’s LabMD case

FTC alleged that LabMD failed to provide reasonable and appropriate security for the personal information it maintained on its network, constituting an unfair act or practice under Section 5 of the FTC Act causing injury on two occasions.

ALJ found the FTC had not demonstrated that LabMD’s activities caused or were likely to cause substantial injury to consumers, and thus had not established unfairness under Section 5.

The Federal Trade Commission has filed a Notice of Appeal


F T C J U R I S D I C T I O N A F F I R M E D

Third Circuit upheld the District Court’s ruling that the FTC could use

the prohibition on unfair practices in section 5 of the FTC Act to

challenge the alleged data security lapses outlined in the complaint.

The Court also rejected Wyndham’s fair notice argument.

“For good reason, Wyndham does not argue that the cybersecurity

intrusions were unforeseeable. That would be particularly implausible

as to the second and third attacks.”


F T C N E W S F L A S H

Global Privacy Enforcement Network (“GPEN”)

Look for expanded, multi-jurisdictional investigations

Cross-border data transfers


G L O B A L P R I VA C Y E N F O R C E M E N T N E T W O R K

( “ G P E N ” )

The FTC and enforcement agencies from seven other countries on Oct. 25,

2015, signed a new information-sharing system that to coordinate international

efforts in protecting consumer privacy.

Australia, Canada, Ireland, Netherlands, New Zealand, Norway, United

Kingdom, U.S.

“Today, data is increasingly crossing borders, and our privacy investigations

and enforcement must do the same.” Chairwoman Ramirez


50 FTC LAWSUITS DISTILLED

Webinar: “Managing Risk in the Era of Cyber Insecurity”

Risks

Lapses

Lessons learned

Emerging standards: details from 50+ FTC Enforcement

Actions


RISK MANAGEMENT PRINCIPLES

1. Start with security.

2. Control access to data sensibly.

3. Require secure passwords and authentication.

4. Store sensitive personal information securely and protect it during transmission.

5. Segment your network and monitor who’s trying to get in and out.

6. Secure remote access to your network.

7. Apply sound security practices when developing new products.

8. Make sure your service providers implement reasonable security measures.

9. Put procedures in place to keep your security current and address vulnerabilities that may arise.

10. Secure paper, physical media, and devices.


C O N T R O L A C C E S S TO D ATA S E N S I B LY

Restrict access to sensitive data.

– Goal Financial (company failed to restrict employee access to personal

information stored in paper files and on its network)

Limit administrative access.

– Twitter (granted almost all of its employees administrative control over

Twitter’s system)


R E Q U I R E S E C U R E PA S S W O R D S A N D

A U T H E N T I C AT I O N .

Insist on complex and unique passwords.

– Twitter (common dictionary)

Store passwords securely.

– Reed Elsevier (credentials in cookies)

– Twitter (admin passwords in plain text / email )


R E Q U I R E S E C U R E PA S S W O R D S A N D

A U T H E N T I C AT I O N .

Guard against brute force attacks.

– Lookout Services, Twitter, and Reed Elsevier ( limit on unsuccessful logins)

Protect against authentication bypass.

– Lookout Services ( known security flaws)


S E G M E N T Y O U R N E T W O R K A N D M O N I TO R W H O ’ S

T RY I N G TO G E T I N A N D O U T.

Segment your network.

– Protect particularly sensitive data by housing it in a separate secure place

on your network

– DSW (company didn’t sufficiently limit computers from one in-store

network from connecting to computers on other in-store and corporate

networks )

Monitor activity on your network.

– Dave & Buster’s (no intrusion detection; no system log monitoring)

– Cardsystem Solutions (no detection of unauthorized access to network;

hackers installed programs that collected stored sensitive data and sent it

outside the network every four days)


S E C U R E R E M O T E A C C E S S TO Y O U R N E T W O R K .

Ensure endpoint security.

– Premier Capital Lending (activated a remote login account for a business client

to obtain consumer reports, without first assessing the business’s security)

– Settlement One (allowed clients that didn’t have basic security measures, like

firewalls and updated antivirus software, to access consumer reports through

its online portal)

– Lifelock (no antivirus)

Put sensible access limits in place.

– Dave & Buster’s


S E T P R O C E D U R E S TO K E E P S E C U R I T Y C U R R E N T

A N D A D D R E S S V U L N E R A B I L I T I E S .

Update and patch third-party software.

– TJX Companies (update anti-virus software)

Heed credible security warnings and move quickly to fix them.

– HTC America (process for receiving and addressing reports about security

vulnerabilities)

– Fandango (company relied on its general customer service system to

respond to warnings about security risks)


WIRE TRANSFER FRAUD

Wire transfer Phishing

Business email Compromise

FBI Warning


WIRE TRANSFER FRAUD

Standard: UCC Article 4A

“Commercially Reasonable” Security Procedures

UCC Article 4A-202(b):

– (b) If a bank and its customer have agreed that the authenticity of payment orders issued to the bank in the name of the customer as sender will be verified pursuant to a security procedure, a payment order received by the receiving bank is effective as the order of the customer, whether or not authorized, if (i) the security procedure is a commercially reasonable method of providing security against unauthorized payment orders, and (ii) the bank proves that it accepted the payment order in good faith and in compliance with the security procedure and any written agreement or instruction of the customer restricting acceptance of payment orders issued in the name of the customer. The bank is not required to follow an instruction that violates a written agreement with the customer or notice of which is not received at a time and in a manner affording the bank a reasonable opportunity to act on it before the payment order is accepted.


STANDARDS FOR THE

INTERNET OF THINGS

24 billion Internet-connected devices before the end of the

decade (> 3/person)

Standards are being proposed


MEDICAL DEVICES AND HEALTH APPS


FDA: MEDICAL DEVICES

Led on-going industry / stakeholder Public Workshops on

advancing medical device cybersecurity

Issued “non-binding guidance”

Issued Warnings

Health Care Mobile Apps


NH-ISAC

National Health Information Sharing Analysis Center


HOSPIRA SYMBIQ INFUSION SYSTEM:

FDA SAFETY COMMUNICATION

FDA told hospitals to stop using Hospira's Infusion Pump

If accessed hacker could “control the device and change

the dosage the pump delivers, which could lead to over- or

under-infusion of critical patient therapies”


FDA “GUIDANCE FOR INDUSTRY”

Example: FDA's “Cybersecurity for Networked Medical

Devices Containing Off-The-Shelf (OTS) Software”

“Nonbinding Recommendations”

Challenges inherent in devices that will be operated in

networked environments beyond manufacturers control


LEGISLATION

California Civil Code sections 1798.29 and 1798.82

Under California’s current law, if personal information is “encrypted,” the notification requirements do not apply

Until now, the law had not defined when personal information would be considered to be “encrypted”

“Encrypted” is now defined as “rendered unusable, unreadable or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information technology.”


F T C E X AM P L E S

Keep sensitive information secure throughout its lifecycle.

– Superior Mortgage Corporation (emailed in clear)

Use industry-tested and accepted methods.

– ValueClick (non-standard, proprietary form of encryption)

Ensure proper configuration.

– Fandango and Credit Karma. (SSL encryption used in mobile apps, but turned off a critical process known as SSL certificate validation without implementing other compensating security measures.)


NIST: NATIONAL INSTITUTE OF

STANDARDS AND TECHNOLOGY

Cybersecurity Framework

Computer Security Resource Center (CSRC)


US-CERT

Dept. Homeland Security, US Computer Emergency

Readiness Team

Security Bulletins


INFRAGARD

InfraGard is a partnership between the FBI and the private

sector

Confidential, timely alerts for the private sector

16 Critical Infrastructures covered

Ignorance is not bliss

Examples

– Social Engineering, Smart Farming, Increase in Point of Sale

Malware Intrusions Possible During Holiday Season, Compromised

and stolen sensitive military information


ACTIONS AGAINST THIRD PARTIES

Liability of technology companies for data breaches

Next Wave of Litigation


THANK YOU

Questions:

[email protected]

612.349.8402