legal vectors - survey of law, regulation and technology risk
TRANSCRIPT
![Page 1: Legal vectors - Survey of Law, Regulation and Technology Risk](https://reader036.vdocuments.mx/reader036/viewer/2022070601/58830bac1a28ab31068b4587/html5/thumbnails/1.jpg)
Advanced Persistent Legal Threats
Some Hackers Wear Suits not Hoodies
![Page 2: Legal vectors - Survey of Law, Regulation and Technology Risk](https://reader036.vdocuments.mx/reader036/viewer/2022070601/58830bac1a28ab31068b4587/html5/thumbnails/2.jpg)
APLT
Consequences of a breach
•a) Data lost or unavailable – Restore Backup•b) Intellectual Property could be stolen – Sue for patent infringement•c) Customer's data could be stolen – Compensate your customers•d) Extortion – Come clean and apologize
![Page 3: Legal vectors - Survey of Law, Regulation and Technology Risk](https://reader036.vdocuments.mx/reader036/viewer/2022070601/58830bac1a28ab31068b4587/html5/thumbnails/3.jpg)
Economics of Regulation FCPA
•1. Siemens (Germany): $800 million in 2008.•2. Alstom (France): $772 million in 2014.•3. KBR / Halliburton (USA): $579 million in 2009.•4. BAE (UK): $400 million in 2010.•5. Total SA (France) $398 million in 2013.•6. VimpelCom (Holland) $397.6 million in 2016.
![Page 4: Legal vectors - Survey of Law, Regulation and Technology Risk](https://reader036.vdocuments.mx/reader036/viewer/2022070601/58830bac1a28ab31068b4587/html5/thumbnails/4.jpg)
Legal Risk
• Regulatory• Fines• Sanctions
• Civil Law Suit• Tort Liability
• Negligence• Standard of Care
• Contract• Criminal
![Page 5: Legal vectors - Survey of Law, Regulation and Technology Risk](https://reader036.vdocuments.mx/reader036/viewer/2022070601/58830bac1a28ab31068b4587/html5/thumbnails/5.jpg)
Regulatory Tribbles
![Page 6: Legal vectors - Survey of Law, Regulation and Technology Risk](https://reader036.vdocuments.mx/reader036/viewer/2022070601/58830bac1a28ab31068b4587/html5/thumbnails/6.jpg)
Regulatory Risk
• SEC Securities and Exchange Commission• OIG Office of Inspector General• NCUA National Credit Union Association• FFIEC Federal Financial Institutions Examination Council• FINRA Financial Industry Regulatory Authority• CFPB Consumer Financial Protection Bureau• FTC Federal Trade Commission• FCC Federal Communications Commission• FDIC Federal Deposit Insurance Corporation• NAIC National Association of Insurance Commissioners
![Page 7: Legal vectors - Survey of Law, Regulation and Technology Risk](https://reader036.vdocuments.mx/reader036/viewer/2022070601/58830bac1a28ab31068b4587/html5/thumbnails/7.jpg)
Fine Inflation
![Page 8: Legal vectors - Survey of Law, Regulation and Technology Risk](https://reader036.vdocuments.mx/reader036/viewer/2022070601/58830bac1a28ab31068b4587/html5/thumbnails/8.jpg)
HIPAA• 1. Advocate Health System (IL): $5.55 million 2016• 2. NewYork-Presbyterian Hospital and Columbia
University (NY): $4.8 million 2014• 3. Cignet Health (MD): $4.3 million 2011• 4. Triple-S (PR): $3.5 million 2015• 5. University of Mississippi Medical Center (MI): $2.75
million 2016
![Page 9: Legal vectors - Survey of Law, Regulation and Technology Risk](https://reader036.vdocuments.mx/reader036/viewer/2022070601/58830bac1a28ab31068b4587/html5/thumbnails/9.jpg)
Spokeo
![Page 10: Legal vectors - Survey of Law, Regulation and Technology Risk](https://reader036.vdocuments.mx/reader036/viewer/2022070601/58830bac1a28ab31068b4587/html5/thumbnails/10.jpg)
Home Depot Target Settlements
![Page 11: Legal vectors - Survey of Law, Regulation and Technology Risk](https://reader036.vdocuments.mx/reader036/viewer/2022070601/58830bac1a28ab31068b4587/html5/thumbnails/11.jpg)
Product Liability
• Cars gone wild• Privacy – Refrigerator send
naughty pictures to YouTube• Medical Devices – • Supply Chain China
![Page 12: Legal vectors - Survey of Law, Regulation and Technology Risk](https://reader036.vdocuments.mx/reader036/viewer/2022070601/58830bac1a28ab31068b4587/html5/thumbnails/12.jpg)
Medical Devices
![Page 13: Legal vectors - Survey of Law, Regulation and Technology Risk](https://reader036.vdocuments.mx/reader036/viewer/2022070601/58830bac1a28ab31068b4587/html5/thumbnails/13.jpg)
Internet of Things (IoT) Projected Market
![Page 14: Legal vectors - Survey of Law, Regulation and Technology Risk](https://reader036.vdocuments.mx/reader036/viewer/2022070601/58830bac1a28ab31068b4587/html5/thumbnails/14.jpg)
Standard of Care NIST 800 - 183
• Through 2018 50% of IoT device manufacturers will not be able to address threats from weak authentication practices.• By 2020, more than 25% of identified enterprise attacks will involve IoT,
though IoT will account for only 10% of IT security budgets.”• By 2020, a third of successful attacks experienced by enterprises will be
on their shadow IT resources.”• By 2018, the need to prevent data breaches from public clouds will drive
20% of organizations to develop data security governance programs
![Page 15: Legal vectors - Survey of Law, Regulation and Technology Risk](https://reader036.vdocuments.mx/reader036/viewer/2022070601/58830bac1a28ab31068b4587/html5/thumbnails/15.jpg)
Risk Transfer - Insurance
![Page 16: Legal vectors - Survey of Law, Regulation and Technology Risk](https://reader036.vdocuments.mx/reader036/viewer/2022070601/58830bac1a28ab31068b4587/html5/thumbnails/16.jpg)
Cloud Contracts
1. Cost 2. Service Levels3. Compliance 4. Security 5. eDiscovery 6. Intellectual Property7. Indemnification 8. Limitations of Damages 9. Term, Renewal, Modification
![Page 17: Legal vectors - Survey of Law, Regulation and Technology Risk](https://reader036.vdocuments.mx/reader036/viewer/2022070601/58830bac1a28ab31068b4587/html5/thumbnails/17.jpg)
eDiscovery
![Page 18: Legal vectors - Survey of Law, Regulation and Technology Risk](https://reader036.vdocuments.mx/reader036/viewer/2022070601/58830bac1a28ab31068b4587/html5/thumbnails/18.jpg)
US Europe
![Page 19: Legal vectors - Survey of Law, Regulation and Technology Risk](https://reader036.vdocuments.mx/reader036/viewer/2022070601/58830bac1a28ab31068b4587/html5/thumbnails/19.jpg)
GDPR - General Data Protection Regulation
• Jurisdiction• Companies offering of goods or services to data subjects
(individuals) in the EU or the monitoring of their behavior. Could be quite small• Processors and Controllers
• Effective Date - May 25, 2018, • Compliance Framework – Probably ISO 27001• Data Protected - PII• Privacy Shield – self certification with Department of Commerce
![Page 20: Legal vectors - Survey of Law, Regulation and Technology Risk](https://reader036.vdocuments.mx/reader036/viewer/2022070601/58830bac1a28ab31068b4587/html5/thumbnails/20.jpg)
GDPR Rights
1.The right to be informed2.The right of access3.The right to rectification4.The right to erasure5.The right to restrict processing6.The right to data portability7.The right to object8.Rights in relation to automated decision making and profiling.
![Page 21: Legal vectors - Survey of Law, Regulation and Technology Risk](https://reader036.vdocuments.mx/reader036/viewer/2022070601/58830bac1a28ab31068b4587/html5/thumbnails/21.jpg)
GDPR – DPO Data Protection Officer
• expert knowledge of both data protection law and technology• managing internal data protection activities• notifications of data breaches for cyber incidents• manage the outsourcing of data processing activities including the use
of third party vendors for HR, IT and marketing• Working with the firm’s designated supervisory authority• They are also protected from dismissal• Report to the highest level of management
![Page 22: Legal vectors - Survey of Law, Regulation and Technology Risk](https://reader036.vdocuments.mx/reader036/viewer/2022070601/58830bac1a28ab31068b4587/html5/thumbnails/22.jpg)
EU Cloud Contracts
SLALOM (Service Level Agreement Legal and Open Model) • Simple drafting • Fair and balanced • Flexible universal starting point – great starting point for
negotiations• Consistency • ISO compliant
![Page 23: Legal vectors - Survey of Law, Regulation and Technology Risk](https://reader036.vdocuments.mx/reader036/viewer/2022070601/58830bac1a28ab31068b4587/html5/thumbnails/23.jpg)
EU Internet of Things Regulations
•Data on the device is PII• Processing Data will require consent•Device manufacturers, social platforms, third party app
developers, other third parties will be considered controllers or processors• Everyone will have to carry out Privacy Impact Assessments
and implement Privacy by Design and Privacy by Default solutions
![Page 24: Legal vectors - Survey of Law, Regulation and Technology Risk](https://reader036.vdocuments.mx/reader036/viewer/2022070601/58830bac1a28ab31068b4587/html5/thumbnails/24.jpg)
State Law
• Breach Notification• FinTech Regulation• New York Department of Financial Services • Third Parties Mandatory Audits, Warranties• Mandatory Training• CISO• Mandatory multi-factor authentication for access to internal systems • Data Retention Policies• Breach notification 72 hour rule
![Page 25: Legal vectors - Survey of Law, Regulation and Technology Risk](https://reader036.vdocuments.mx/reader036/viewer/2022070601/58830bac1a28ab31068b4587/html5/thumbnails/25.jpg)
China
According to China’s Foreign Ministry
“China's pending cyber security law will not create obstacles for foreign business”
![Page 26: Legal vectors - Survey of Law, Regulation and Technology Risk](https://reader036.vdocuments.mx/reader036/viewer/2022070601/58830bac1a28ab31068b4587/html5/thumbnails/26.jpg)
Deterring Criminal Behavior
• Law and Economics Analysis• Expected Costs > Expected Benefit• Costs• Probability of getting caught - small• Severity of the punishment - small
• Benefits - Huge
![Page 27: Legal vectors - Survey of Law, Regulation and Technology Risk](https://reader036.vdocuments.mx/reader036/viewer/2022070601/58830bac1a28ab31068b4587/html5/thumbnails/27.jpg)
Business Model
• Third Party• Credit Cards• Bank Account Information• Tax Identification Numbers
• Direct• Ransomware• Extortion• Business Email Compromise" ("BEC”) Fraud e.g. Wire Transfers• Actionable Financial Information (Insider Information)• Intellectual Property • Industrial Espionage
![Page 28: Legal vectors - Survey of Law, Regulation and Technology Risk](https://reader036.vdocuments.mx/reader036/viewer/2022070601/58830bac1a28ab31068b4587/html5/thumbnails/28.jpg)
Change
•Change in the Technology•Change in the law and the regulatory environment•Both will be fed by changes in the politics and economics
![Page 29: Legal vectors - Survey of Law, Regulation and Technology Risk](https://reader036.vdocuments.mx/reader036/viewer/2022070601/58830bac1a28ab31068b4587/html5/thumbnails/29.jpg)
I wasn’t there, I didn’t do it, I can’t remember and I deny everything
• The information in this lecture is for informational purposes only and do not constitute legal advice. These materials are intended, but not promised or guaranteed to be current, complete, or up-to-date and should in no way be taken as an indication of future results. The information and articles on this website are offered only for general informational and educational purposes. They are not offered as and do not constitute legal advice or legal opinions. You should not act or rely on any information contained in this website without first seeking the advice of an attorney.