get the fud out of cybersecurity! isaca csxna 2016 in las vegas

Shawn E. Tuma, Cybersecurity Attorney Partner, Scheef & Stone, LLP

Get the FUD out of Cybersecurity!

Copyright © 2016 Information Systems Audit and Control Association, Inc. All rights reserved.

Join the conversation!

@shawnetuma #CSXNA


• The Y2K Legal Expert • Path: Y2K > computer fraud >

data breach • 2011

• “Year of Data Breach”

• “Who’s Gonna Get It?”

Do you remember Y2K?


2014: The real Year of the Data Breach

Cybersecurity: a legal issue?


Consider these 2 statements: • “There are only two types of

companies: those that have been hacked, and those that will be.”

• “It’s not a matter of if, but when your company is hacked.”

Selling FUD is so 2014!


• FUD = fear × uncertainty × doubt • Why?

• It gets media attention

• It is cool, exotic, sexy

• It justifies the most sophisticated (i.e., expensive) tools

Why so much FUD?


• Cybersecurity & data breaches are an epidemic

• Impacted by data breach?

The threat is real


Awareness is real, also

What concerns keep Chief Legal Officers awake at night? #2 = Data Breaches

82% consider as somewhat, very, or extremely important


• “These three thieves, fear, uncertainty, and doubt, will rob you of your future.” –E.R. Haas

• Complacency was the problem • Hopelessness is now the problem • Eat a live frog –Mark Twain

The “too much FUD” problem


Easily preventable • 90% in 2014 • 91% in 2015

The Turning Point

• 63% confirmed breaches from weak, default, or stolen passwords

• Data is lost over 100x more than stolen

• Phishing used most to install malware


Where Would You Start?

Easily Preventable Sophisticated Attacks

Threats


“We must free ourselves of the hope that the sea will ever rest. We must learn to sail in high winds.” -Aristotle Onassis

Leadership


• Leaders find solutions. • Leaders bring calm and rational

decision making to crisis situations. • Yes, this is new, unchartered territory. • But, we are pioneers made to thrive in

the unknown – it’s what we do. • Focus on what we know.

Leadership


• “All warfare is based on deception.”

• “Water shapes its course according to the nature of the ground over which it flows; the soldier works out his victory in relation to the foe whom he is facing.”

• “In all fighting the direct method may be used for joining battle, but indirect methods will be needed to secure victory.”

• “Attack him where he is unprepared; appear where you are not expected.”

Sun Tzu on Hacking


• “The general who wins the battle makes many calculations in his temple before the battle is fought. The general who loses makes but few calculations beforehand.”

• “Strategy without tactics is the slowest route to victory. Tactics without strategy is the noise before defeat.”

• “The quality of decision is like the well-timed swoop of a falcon which enables it to strike and destroy its victim.”

Sun Tzu on Security


Preparation

“You don’t drown by falling in the water; You drown by staying there.”


“Some people try to find things in this game that don’t exist but football is only two things – blocking and tackling.” -Vince Lombardi

Start with the Basics


• Attacks will be different than past. • Attacks will usually be indirect, not

direct. • Attackers will use deception. • Attackers will focus on the area least

protected – the human element. • Preparation allows adaptation.

What We Know


• Culture of security • Policies and procedures • Systems and controls • Education and training • Goal: teach people to think,

recognize, and resist

Prepare Workforce


“Security and IT protect companies’ data; Legal protects companies from their data.”


Takeaway: Standard is reasonableness. • In re Target Data Security Breach Litigation (Financial

Institutions) (Dec. 2, 2014)

• Companies have a duty to be reasonably informed and take reasonable measures to protect against cybersecurity risks.

• It’s the diligence, not the breach, that counts.

• The court found duties to • Reasonably protect others’ data • Not disable security devices (i.e., if have it, use it) • Respond when alerted of an attack

Legal Foundations


Takeaway: Must have basic IT security. • F.T.C. v. Wyndham Worldwide Corp., 799 F.3d 236 (3rd Cir. Aug.

24, 2015).

• The FTC has authority to regulate cybersecurity under the unfairness prong of § 45(a) of the FTC Act.

• Companies have fair notice that their specific cybersecurity practices could fall short of that provision.

• 3 breaches / 619,000 records / $10.6 million in fraud • Rudimentary practices v. 2007 guidebook • Website Privacy Policy misrepresentations

Legal Foundations


Takeaway: Must have internal network controls. • F.T.C. v. LabMD (July 2016 FTC Commission Order)

• LabMD had 1 employee using LimeWire, Tiversa obtained file with PHI information and provided to the FTC.

• “LabMD’s data security practices constitute an unfair act or practice within the meaning of Section 5 of the FTC Act. We enter an order requiring that LabMD notify affected consumers, establish a comprehensive information security program reasonably designed to protect the security and confidentiality of the personal consumer information in its possession, and obtain independent assessments regarding its implementation of the program.”

Legal Foundations


Takeaway: Must have written policies & procedures. • S.E.C. v. R.T. Jones Capital Equities Management, Consent

Order (Sept. 22, 2015).

• “R.T. Jones failed to adopt written policies and procedures reasonably designed to safeguard customer information.”

• R.T. Jones violated the Securities Act’s “Safeguards Rule”

• 100,000 records vulnerable; no reports of actual harm • $75,000 penalty • Cease and desist having any future violations

Legal Foundations


Takeaway: Must have written incident response plan. • S.E.C. v. R.T. Jones Capital Equities Management,

Consent Order (Sept. 22, 2015).

• Firms “need to anticipate potential cybersecurity events and have clear procedures in place rather than waiting to react once a breach occurs.”

Legal Foundations


Response Plan Points

• Goal is to execute

• This is check list, not an IRP

• How detailed?

• Tabletop exercises

Legal Foundations


How quick to respond?

• 45 days (most states)

• 30 days (some states)

• 3 days (fed contracts)

• 2 days (business expectation)

• Immediately (contracts)

Legal Foundations


Takeaway: Must evaluate third-parties’ security. • In re GMR Transcription Svcs., Inc., Consent Order (Aug. 14,

2014).

• FTC’s Order requires business to follow 3 steps when working with third-party service providers:

• Investigate before hiring data service providers • Obligate data service providers to adhere to the appropriate

level of data security protections • Verify that the data service providers are complying with

obligations (contracts)

Legal Foundations


Takeaway: Know your contractual obligations. • Addendum to business contracts

• Common names: Data Security & Privacy Agreement; Data Privacy; Cybersecurity; Privacy; Information Security

• Common features: • Defines subject “Data” being protected in categories • Describes acceptable and prohibited uses for Data • Describes standards for protecting Data • Describes obligations and responsibility for breach of Data • Requires binding third-parties to similar provisions

Legal Foundations


The Game Changer?

New York Department of Financial Services Cybersecurity Requirements for Financial Services Companies + [fill in] • All NY “financial institutions” • Establish Cybersecurity Program (w/ specifics) • Adopt Cybersecurity Policies • Designate qualified CISO to be responsible • Written Incident Response Plan • Third-Party Providers – examine, obligate, audit • Board or Senior Officer Certify Compliance


Cybersecurity Risk Management


Instead of FUD

“You don’t drown by falling in the water; You drown by staying there.”

Teach people how to swim – better yet, how to surf!


• Board of Directors & General Counsel, Cyber Future Foundation • Board of Directors, North Texas Cyber Forensics Lab • Cybersecurity & Data Privacy Law Trailblazers, National Law Journal (2016) • SuperLawyers Top 100 Lawyers in Dallas (2016) • SuperLawyers 2015-16 (IP Litigation) • Best Lawyers in Dallas 2014-16, D Magazine (Digital Information Law) • Council, Computer & Technology Section, State Bar of Texas • Privacy and Data Security Committee of the State Bar of Texas • College of the State Bar of Texas • Board of Directors, Collin County Bench Bar Foundation • Past Chair, Civil Litigation & Appellate Section, Collin County Bar Association • Information Security Committee of the Section on Science & Technology Committee of the

American Bar Association • North Texas Crime Commission, Cybercrime Committee • Infragard (FBI) • International Association of Privacy Professionals (IAPP) • Board of Advisors Office of CISO, Optiv Security • Editor, Business Cybersecurity Business Law Blog

Shawn Tuma Cybersecurity Partner Scheef & Stone, L.L.P. 214.472.2135 [email protected] @shawnetuma blog: www.shawnetuma.com web: www.solidcounsel.com