preparing for new electronic communication privacy lawsby harsha banavara and jeffrey farago this...
TRANSCRIPT
June 2016Volume 14 Issue 6
Cybersecurity Whistleblowing: What Employees at Public Companies Should Know Before Reporting
Information Security ConcernsAddressing Data Privacy Regulation &
Standards: A ProcessBlockchain: The Legal Industry
★ ★ ★ ISSA ★ ★ ELECTION ★ ★ 2016 ★ ★ ★
Preparing for New Electronic Communication
Privacy Laws
LEGAL, PRIVACY, REGULATION
Table of ContentsDEVELOPING AND CONNECTING CYBERSECURITY LEADERS GLOBALLY
Articles28 Cybersecurity Whistleblowing: What
Employees at Public Companies Should Know Before Reporting Information Security ConcernsBy Dallas HammerNo anti-retaliation statute specifically covers cybersecurity whistleblowers, but employees of public corporations may nonetheless be protected when blowing the whistle on cybersecurity concerns. This article provides a brief foundation for understanding how whistleblowers may fall within the coverage of the Sarbanes-Oxley Act of 2002 and the Dodd-Frank Act of 2010.
Also in this Issue3 From the President
5 Sabett’s BriefFrom a Legal Perspective…It’s Just a Fridge!
6 Herding CatsTo Encrypt, or to Backdoor?
7 Open ForumWhy the Merging of Security and Privacy is a Good Thing
8 Perspective: Women in Security SIGRegulatory Compliance – A Change Management Challenge
9 Security in the News
10 Association News
14 2016 International Election Candidate Profiles
Feature22 Preparing for New Electronic Communication Privacy Laws
By Rouman Ebrahim – ISSA member, Los Angeles ChapterThe California legislature has recently enacted the California Electronic Communication Privacy Act and many states are set to follow with their own electronic privacy laws. After a brief introduction to Act and the broad definitions within it, this article will focus on issues that impact private businesses and corporations.
©2016 Information Systems Security Association, Inc. (ISSA)
The ISSA Journal (1949-0550) is published monthly by Information Systems Security Association
12100 Sunset Hills Road, Suite 130, Reston, Virginia 20190 703-234-4082 (direct) • +1 866 349 5818 (USA toll-free)
+1 206 388 4584 (International)
36 Addressing Data Privacy Regulation & Standards: A ProcessBy Harsha Banavara and Jeffrey FaragoThis article addresses the continuing issues of comprehensive consideration and integration of data privacy into product development to enable compliance to applicable standards, rules, and regulations.
41 Blockchain: The Legal IndustryBy R. S. Tumber – ISSA member, UK ChapterThis article introduces the impact of blockchain technology upon the legal services industry.
2 – ISSA Journal | June 2016
From the President
June 2016 | ISSA Journal – 3
International Board OfficersPresident
Andrea C. Hoy, CISM, CISSP, MBA, Distinguished Fellow
Vice PresidentJustin White
Secretary/Director of OperationsAnne M. Rogers
CISSP, Fellow
Treasurer/Chief Financial OfficerPamela Fusco
Distinguished Fellow
Board of DirectorsFrances “Candy” Alexander, CISSP,
CISM, Distinguished FellowDebbie Christofferson, CISM, CISSP,
CIPP/IT, Distinguished FellowMary Ann Davidson Distinguished Fellow
Rhonda Farrell, FellowGarrett D. Felix, M.S., CISSP, Fellow
Geoff Harris, CISSP, ITPC, BSc, DipEE, CEng, CLAS, Fellow
Alex Wood, Senior MemberKeyaan Williams
Stefano Zanero, PhD, Fellow
Greetings ISSA Members and Journal Readers!
Andrea Hoy, International President
The Information Systems Security Asso-ciation, Inc. (ISSA)® is a not-for-profit, international organization of information security professionals and practitioners. It provides educational forums, publications and peer interaction opportunities that en-hance the knowledge, skill and professional growth of its members.With active participation from individuals and chapters all over the world, the ISSA is the largest international, not-for-profit association specifically for security pro-fessionals. Members include practitioners at all levels of the security field in a broad range of industries, such as communica-tions, education, healthcare, manufactur-ing, financial, and government.The ISSA international board consists of some of the most influential people in the security industry. With an internation-al communications network developed throughout the industry, the ISSA is fo-cused on maintaining its position as the preeminent trusted global information se-curity community.The primary goal of the ISSA is to promote management practices that will ensure the confidentiality, integrity and availability of information resources. The ISSA facilitates interaction and education to create a more successful environment for global informa-tion systems security and for the profes-sionals involved.
It’s hard to believe we are already halfway through 2016!
This month we will hold our 4th European Chapter Leaders Summit on June 19-20 in Amsterdam, the home of our Netherlands Chapter. I was thinking about some of the challenges serving an international
association has that many take for granted or perhaps never really give much thought to, such as what happens behind the scenes and what considerations are being taken. Everything from important holidays to paying respect to when try-ing to plan international events, to hours of operation and email responses. And even the simplest thing like referring to the season of the year in newsletters or the Journal is not so simple when summer in one place is winter in another. Also with ~150 chapters, it is hard not to overlap someone’s meeting or local functions when planning a CISO Executive Forum or the ISSA International Conference in Dallas, Texas, (November 2-3).I think we have room for improvement with the help of our membership in bring-ing value. Many have expressed concern about (ISC)2 chapters being started in your areas. We have re-started the conversation to see where we can better align our efforts—we both agree that we should not cause our information security professionals to be severed at the local level, but rather provide complimentary services.The majority of our membership is in the United States, followed by the Europe-an Union. Keeping this in mind, to help serve our membership better abroad, we established a staff member on the ground in the EU to provide this large popula-tion of members a local resource. If it shows value, the thought is to extend this model to other areas, such as the Asia-Pacific region. We are recording many of our webinars and chapter leaders meetings so that those who cannot attend due to time differences or scheduling conflicts can get value from the recordings. But first we have to find out, what is it that provides service and value to you, the members, now? If you are a chapter leader in Europe, please come share first hand how we can further build ISSA at the Europe Chapter Leaders Summit. For those in the European time zones, we have set up an email address to address your needs: [email protected] saw this recently and hope you won’t hold it against him that he just states “man”…
“Try not to become a man of success, but rather a man of value.” – Albert Einstein
I think to be judged by what you have done for others and the value you have brought to ISSA speaks volumes about what our members are all about. Thanks to all of you for making ISSA the association that information security profes-sionals choose to network globally. Moving forward,
The information and articles in this mag-azine have not been subjected to any formal testing by Information Systems Security Association, Inc. The implemen-tation, use and/or selection of software, hardware, or procedures presented within this publication and the results obtained from such selection or imple-mentation, is the responsibility of the reader.
Articles and information will be present-ed as technically correct as possible, to
the best knowledge of the author and editors. If the reader intends to make use of any of the information presented in this publication, please verify and test any and all procedures selected. Techni-cal inaccuracies may arise from printing errors, new developments in the indus-try, and/or changes/enhancements to hardware or software components.
The opinions expressed by the authors who contribute to the ISSA Journal are their own and do not necessarily reflect
the official policy of ISSA. Articles may be submitted by members of ISSA. The articles should be within the scope of in-formation systems security, and should be a subject of interest to the members and based on the author’s experience. Please call or write for more information. Upon publication, all letters, stories, and articles become the property of ISSA and may be distributed to, and used by, all of its members.
ISSA is a not-for-profit, independent cor-
poration and is not owned in whole or in part by any manufacturer of software or hardware. All corporate information se-curity professionals are welcome to join ISSA. For information on joining ISSA and for membership rates, see www.issa.org.
All product names and visual represen-tations published in this magazine are the trademarks/registered trademarks of their respective manufacturers.
4 – ISSA Journal | June 2016
[email protected], Privacy, RegulationThom Barrie – Editor, the ISSA Journal
The Edito-rial Advi-sory Board
is upping the ante with the scholar-ship announced last issue: the re-cipient of the ISSA
Journal Scholastic Writing Award for best student article will receive $1,000! Do you have a college student acquain-tance or family member? Let him or her know. Not only will this award feel great in the pocket, but it will look great on a resume. See the article on page 11 for pertinent links and information. Our legal issue garnered some inter-esting takes on Legal, Privacy, Reg-ulation—from baking privacy into product development to whistleblower protection for corporate cybersecurity infractions to new privacy legislation in California to blockchain technology that is set to disrupt “banking, law, and accountancy” as the Internet did to “me-dia, commerce, and advertising.”In “Preparing for New Electronic Com-munication Privacy Laws,” Los Angele County Deputy District Attorney Rou-man Ebrahim explains recent California privacy legislation that makes it more difficult for law enforcement to access electronic communications without the communication possessor’s permission and without a search warrant. This has ramifications for organizations that pro-vide devices—phones, tablets, comput-ers—to employees. While the organiza-tion might be the owner, the employee
is the possessor, and the possessor holds the trump card.For those of you working in public-ly-held companies, or with access to said companies, you may be protected under US regulation if you choose to blow the whistle on cybersecurity wrongdoings. While, of course, one would attempt to rectify the transgression at the source, if the company continues in its malfea-sance in spite of your bringing awareness up the chain, your only recourse may be to let the authorities know (or ignore it, which becomes an ethical dilemma in itself). Dallas Hammer explains it all in “Cybersecurity Whistleblowing.” And there might even be a reward in store. We’ve had a couple bitcoin articles this year, most recently last issue. In “Block-chain: The Legal Industry,” Rajinder Tumber looks at the blockchain tech-nology that underlies bitcoin and other cryptocurrencies and shows how the technology is ripe for the legal industry and that those in the profession had bet-ter come up to speed with this not-so-new, disruptive technology that is poised to alter an industry. One interesting product is the smart contract: a simple version being digital rights management that shuts down media access if violating terms of use; another an IoT-connected device turning off if the owner is remiss in monthly payments. Quick, the ice cream is melting!And don’t forget to let your voice be heard. June is election month,Enjoy, Thom
Editor: Thom Barrie [email protected]
Advertising: [email protected]
866 349 5818 +1 206 388 4584
Editorial Advisory BoardPhillip Griffin, Fellow
Michael Grimaila, Fellow
John Jordan, Senior Member
Mollie Krehnke, Fellow
Joe Malec, Fellow
Donn Parker, Distinguished Fellow
Kris Tanaka
Joel Weise – Chairman, Distinguished Fellow
Branden Williams, Distinguished Fellow
Services DirectoryWebsite
866 349 5818 +1 206 388 4584
Chapter [email protected]
866 349 5818 +1 206 388 4584
Member [email protected]
866 349 5818 +1 206 388 4584
Executive [email protected]
866 349 5818 +1 206 388 4584
Vendor [email protected]
866 349 5818 +1 206 388 4584
cies, among other things. While pri-vacy and cyber-security are clearly issues, NTIA has indicated the importance of consumer protection and how to ensure that dis-advantaged communities or groups are not disproportionately impacted.Ultimately, NTIA will use the broad input from a wide variety of interest-ed stakeholders to inform the resulting green paper and will likely shape gov-ernment IoT policy in the near term. Keep an eye on this space for further developments in this area. In the mean-time, I’m off to do my banking, reserve a slot to get my car’s oil changed, and set up an appointment with my doctor…all through my refrigerator interface. No worries, I store my medical records in the freezer.
About the AuthorRandy V. Sabett, J.D., CISSP, is Vice Chair of the Privacy & Data Protection practice group at Cooley LLP (www.cool-ey.com/privacy), and a member of the Boards of Directors of ISSA NOVA, Mis-sionLink, and the Georgetown Cyberse-curity Law Institute. He was a member of the Commission on Cybersecurity for the 44th Presidency, named the ISSA Profes-sional of the Year for 2013, and chosen as a Best Cybersecurity Lawyer by Wash-ingtonian Magazine for 2015-2016. He can be reached at [email protected]. The views expressed herein are those of the author and do not necessarily reflect the positions of any current or former cli-ents of Cooley or Mr. Sabett.
With most technologies that I encounter in my practice, I can generally learn enough
about it (a) to be able to advise my clients and (b) come up with an appropriate ex-planation, depending on the audience involved. For the “techies,” I make sure I can have a detailed conversation about the technology that can then be used for assessing liability. For general coun-sels and/or others with a legal interest, I act as translator and am often called upon to distill the technology down to a liability summary. For my family and friends, I often come up with an even more generic summary. The Internet of Things (IoT), however, will change all that. For any audience, it will simply in-volve me describing things in terms of an unregulated but Internet-connected refrigerator…that is, at least until the Department of Commerce finishes its latest effort.Specifically, the prior hands-off ap-proach the government has taken on regulating the IoT may be changing. In April 2016, the National Telecommuni-cations and Information Administra-tion (NTIA) within the Department of Commerce asked for public comment on what role the federal government should play in the further development of the IoT. Following the review of the public comments it received, the NTIA intends to issue a “green paper” that will iden-tify “possible roles for the federal gov-ernment in fostering the advancement of IoT technologies.” While the NTIA does not have the authority to adopt the regulations that may be proposed, com-panies involved in the IoT space should expect the green paper to provide a road map of intended future regulation that may be carried out by the Federal Trade
Commission, Federal Communications Commission, and other agencies.The number of topics identified by NTIA where regulation should be considered includes numerous areas where we have made tremendous progress because of a lack of regulation. Those areas include cybersecurity, privacy, health, safety and security, cross-border data flows, spectrum, international trade, advanced manufacturing, protection of intellectu-al property, standards policy, Internet governance, big data, entrepreneurship, and worker skills.The NTIA seems to be focused primar-ily on how the government can best foster IoT innovation and growth while protecting consumers and ensuring eco-nomic equity. Pertinent issues include defining the term Internet of Things and whether there should be classifications such as consumer vs. industrial, public vs. private, device-to-device vs. human interfacing. These types of distinctions will become important as NTIA wants to address the “appropriate level of pro-tection to workers, consumers, patients and/or other uses of IoT technologies.” The NTIA seems to be thinking broad-ly and about more than just connected devices (since the Notice referenced physical objects, infrastructure, and en-vironments as well as data applications and analytics). Technology and infrastructure are two areas of focus for the NTIA, which also has expressed interest in issues such as interoperability, spectrum, interference, investment, resiliency, and standards. NTIA also asks how government should quantify, measure, and categorize the IoT sector, which could have long-term implications for tax and import poli-
Sabett’s Brief
By Randy V. Sabett – ISSA Senior Member, Northern Virginia Chapter
From a Legal Perspective…It’s Just a Fridge!
June 2016 | ISSA Journal – 5
I love watching magicians who operate at the
highest levels when performing. At their
base, they are entertainers who are able to do things that our brains cannot fath-om, therefore don’t really understand. Before the days of YouTube, a skeptic would need to go to great lengths to figure out how a magician performed a trick.1 Once someone learns a trick, it takes some of the magic (see what I did there?) out of the performance. A learned spectator who de-codes the trick while it’s performed (sometimes ruining it for the audience immediately in their vicinity) realizes that the laws of physics are still intact and the term “disappear” can be interpreted relatively. The fight or flight element of our brains (or the Lizard Brain, if you will) has in-teresting reactions to things our higher brain does not understand. Imagine for a moment if you pulled someone from the 1700s into 2016.2 Wouldn’t near-ly everything she encounters look like magic at first? Iron birds flying through the sky, concrete castles that touched the clouds without collapsing, and magical hand-sized devices that allow you to have a conversation with a human that you cannot see. What if she was standing a few miles from a rocket that was launching hu-mans into space? Would she run in the other direction to get away from the loud noise and ball of fire? Would she stand in place, awestruck with the sight? Would her experience make her seek out every piece of information on rockets so she could understand how they worked? Would she run to the nearest governing
1 Or an illusion, GOB.2 But not Luigi Galvani; he might just say “I told you so.”
authority and demand that these magic silver tubes with fire be banned in favor of human safety or for religious reasons?Yes, that last paragraph was full of ques-tions, some of them silly. The last few months has seen government authorities considering the implications of encryp-tion. It’s the Clipper Chip all over again,
but with much farther reaching impli-cations. For the most part, the parties responsible for deciding the fate of our electronic secrets are not well read into the technology behind it, the reasons why it’s important, and potentially the unexpected outcomes from legislation. Imagine a congressman who majored in political science and only uses his smart-phone to make calls and text his kids. I bet that device seems like magic to him. Now tell him that thanks to some fancy math and smart coding, when he sends that iMessage from his iPhone to his son’s iPhone, there is no person or ma-chine that can read that text message but the two of you. That might sound a bit like magic, don’t you think?Before our lives were essentially tak-en over by electronic devices, the laws around theft and crime focused on the physical act of stealing or destroying an asset. Things started to change when computers became more than just a university plaything. Even as recent as ten years ago, legal discussions on the topic of breaking into computing sys-tems would often end with the phrase, “we’re waiting on the law to catch up
with what’s happening in the criminal world.” This isn’t a problem unique to the United States either, as many ad-vanced societies battled the same prob-lems of applying long-standing laws to new types of crime. We’re adapting now, and we should do it with forethought and care.The Risky Business podcast episode 412 features an interview with former NSA general counsel Stewart Baker. Stewart highlights a common political problem that seems to plague our two-party sys-tem here, whereby compromise is hard to come by. On the issue of encryption, we have folks that are staunchly against government backdoors and others who think it is the only way forward. His point was that the arguments thus far on the topic have been less than helpful. There have not been offers of compro-mise to help both parties achieve what they want.I’m not going to use this column as a bul-ly pulpit to convince you that one is bet-ter over the other. Instead, it’s important that you become educated on the issue and work with your government repre-sentatives to help them understand the implications on both sides of the fence. It’s more than just terrorists communi-cating under our noses versus no more digital commerce. This is an issue that is worth your time to really dig in and un-derstand the positions, and get involved.
About the AuthorBranden R. Williams, DBA, CISSP, CISM is the CTO, Cyber Security Solutions at First Data, a seasoned security executive, ISSA Distinguished Fellow, and regu-larly assists top global firms with their information security and technology ini-tiatives. Read his blog, buy his book, or reach him directly at http://www.brand-enwilliams.com/.
To Encrypt, or to Backdoor?By Branden R. Williams – ISSA Distinguished Fellow, North Texas Chapter
Herding Cats
It’s more than just terrorists communicating
under our noses versus no more digital
commerce.
6 – ISSA Journal | June 2016
By Steve Conrad – ISSA member, Puget Sound Chapter
Why the Merging of Security and Privacy is a Good Thing
Open Forum
Peanut butter and jelly. Milk and cookies. At one point or anoth-er, these pairings would have
seemed odd, but now they are synony-mous and almost universally agreed to be better together. We are seeing a similar convergence in the privacy and security fields, both tra-ditionally viewed as distinct disciplines. Both communities have started a slow but steady integration in recent years, all in an effort to bolster information pro-tection measures on a large and more in-tegrated scale. This merging of security and privacy is a necessary move for both industries.Consider, if you will, any of the ma-jor breaches in recent memory. At first blush, a data breach seems synonymous with security—or a lack thereof. We of-ten think of lax security being the main cause of a data breach. However, privacy is also at play and must be considered. Why? Compromised data has immense privacy implications for affected cus-tomers and clients. As much as we’d like to believe, most organizations that experience a data breach didn’t offer free credit monitoring and identity theft protection out of the goodness of their hearts—It’s the massive privacy and le-gal fallout that could result from com-promised identities of affected parties if proper monitoring wasn’t put in place.
Increasing convergenceWe recently saw this convergence even more clearly at RSA Conference 2016, one of the largest information security conferences in the world, that featured a half-day long session called “Privacy and Security: Working Better Together.” This convergence didn’t go unnoticed.
BankInfoSecurity recently interviewed Cisco System’s chief privacy officer, Mi-chelle Dennedy, and noted “Dennedy…says privacy has [in the past] seemed to be a bolt-on topic at the RSA Confer-ence. But this year, she sees it getting the spotlight it deserves.” This convergence has taken a huge step forward in the last two years. More than a quarter of the attendees at recent International Association of Privacy Professionals (IAPP) conferences held security-related titles. There is also a movement in place to acknowledge the role of data privacy in systems architec-ture, application development, and data usage. In 2013, Ann Cavoukian, a major contributor to the ideas behind Privacy by Design, said, “It is becoming widely recognized that privacy and security must both be embedded, by default, into the architecture, design, and construc-tion of information processes.”
Information as commodityWhat exactly is fueling this increased convergence of security and privacy? Above all, it is the reminder that infor-mation is a precious and valuable com-modity. It’s the reason why malicious actors socially engineer users and hack into systems. An individual’s privacy is violated when information is com-promised and used for malicious pur-poses (or any unintended purpose). It’s impossible to enforce common privacy principles without a solid data security framework. Therefore, privacy and data security professionals need to work to-gether to ensure that sensitive data is being used and protected as any “critical asset” should be.Says Dennedy, “When we’re seeing peo-ple taking care of their virtual assets, as
they would a curren-cy asset, then I think we come to an entire new precipice of what a privacy profes-sional is—how they need to integrate with the financial people, with the tech-nical people, with the marketing people, and with highest of the executive level.”
Bringing it all togetherIt’s great to hear talk of further inte-gration of the security and privacy dis-ciplines. That said, I’d offer that there’s one particularly critical asset that can-not be left out of the data security and privacy equation and that is the employ-ee. Despite all the technology safeguards in the world, at the end of the day your employees are the ones handling and using all of your vital information as-sets. As such, it is critically important that your employees know just how im-portant both privacy and security are to achieving and maintaining a risk-aware culture.Many privacy and security profession-als work together and share budgets to implement ongoing employee awareness programs that incorporate a holistic and unified data protection message. Hopefully, C-levels and other managers already see security and privacy as in-tertwined, but many organizations have not taken the final step to communicate and instill this knowledge to their em-ployees. This may result in a potential disconnect between the disciplines that could have potentially disastrous conse-quences.When the privacy and security perspec-tives are presented in a unified manner, employees can begin to appreciate how one affects the other, and how minor
Continued on page 27
The Open Forum is a vehicle for individuals to provide opinions or commentaries on infosec ideas, technologies, strategies, legislation, standards, and other topics of interest to the ISSA community. The views expressed in this column are the
author’s and do not reflect the position of the ISSA, the ISSA Journal, or the Editorial Advisory Board.
June 2016 | ISSA Journal – 7
Perspective: Women in Security SIG
Regulatory Compliance – A Change Management Challenge
By Rhonda Farrell – ISSA Fellow, Northern Virginia Chapter
Our editorial guidelines c e r t a i n l y
got it right when they stated “The dy-namics of security and compliance with legal and regulatory mandates can be an extremely difficult area to navigate, especially since it is often very difficult to develop, implement, and maintain a governance framework that can address diverse requirements in a comprehen-sive and coherent manner.” Why, is that? I posit that the most diffi-cult part of making any regulatory com-pliance change is with the change man-agement process utilized itself. If we go back to the basics, we know that the quality of the people, process, and tech-nology components associated with the change effort directly correlate with the effectiveness of the change effort. For those practitioners who have never been through this process, Figure 1 identifies common elements often leading to suc-cessful outcomes.Too often, however, we put our cyber-security SMEs and engineers in charge of the regulatory compliance change ef-forts, incorrectly assuming that the logic that allows them to depict complex ar-chitectural flow charts and troubleshoot cybersecurity problems will somehow parlay into righting an organizational ship gone astray. For those senior per-sonnel who just still need a process flow to follow, figure 2 ought to be the perfect proscriptive recipe for success. Once organizations recognize the defi-ciencies, however, change can help put regulatory compliance programs back on track quite successfully, if you incor-porate the right personnel with the right frame of mind, with the right maturing elements. For those personnel who need
a quick primer, figure 3 offers the basic notional elements to help move your change effort forward with acceleration.Note that change is complex and a cul-tural shift can be slow going. Knowing what to expect with regard to phased acceptance to the changes is half the battle. Figure 4 of-fers a solid baseline of cultural change understanding.Once the practi-tioner gets the or-ganizational culture shift model mas-tered, she can then focus on the change-adoption life cycle and introduce change elements that res-onate strongly with stakeholders, thus enabling a much easier transition, per figure 5.For the novice SME, the next step be-gins the prioritization of organizational elements in order to accelerate adoption, heighten programmatic success, and ac-tually assure technologic elements at a much greater level of scrutiny. Figure 6 offers a high-level view of the program-matic elements necessary for successful im-plementation.ISSA practi-tioners might be thinking: but HOW do I put these into place, I have no pri-or experience, the change process is just as NEW as the regulatory compliance changes. Never fear. ISSA members have
WIS SIG Mission: Connecting the World, One Cybersecurity Practitioner at a Time
Figure 2 – Organizational change model – an engineer’s perfect world
Figure 1 – People, process, technology triad
Figure 3 – Organizational change model
Figure 4 – Organizational culture
changePlease continue on page 31
8 – ISSA Journal | June 2016
Security in the NewsNews That You Can Use…Compiled by Joel Weise – ISSA Distinguished Fellow, Vancouver, BC, Chapter and Kris Tanaka – ISSA member, Portland Chapter
Credential Stealing As Attack Vectorhttp://www.xconomy.com/boston/2016/04/20/credential-stealing-as-attack-vector/
Bruce Schneier always has a way of getting right to the point. I hope this is obvious to most security practi-tioners when he states: “software vulnerabilities aren’t the most common attack vector; credential stealing is.” To me this means we need better security awareness, making sure our staff is attuned to social engineering. We also need to regularly test them in order to make sure they continue to understand related threats. In addi-tion, the article has some really cool details about NSA Chief of Tailored Access Operations Rob Joyce’s recent talk. Who would have thought that zero-day attacks are so overrated? Or is this part of an NSA dis-information campaign?
Irish Privacy Watchdog Refers Facebook’s US Data Transfer to EU Courthttp://www.reuters.com/article/us-eu-privacy-facebook-idUSKCN0YG2DL
Everyone is holding her breath. The question in front of the European Union’s Court of Justice is Can companies still use snippets of contractual language that has been preapproved as privacy compliant by the EU when trans-ferring personal data to the American servers? If the answer is no, there are few other ways to justify keeping such data in the United States under EU law and the effect on international business will be catastrophic.
Cybercrooks Think More Like CEOs and Consultants Than You Thinkhttp://www.darkreading.com/risk/cybercrooks-think-more-like-ceos-and-consultants-than-you-think/d/d-id/1325564
Here’s an interesting perspective on the evolution of cybercriminals. I guess the good news is if the average cybercriminal is thinking in business terms, individuals may not be direct targets (clearly we are all targets at some level). The bad news is legitimate businesses probably have a lot to worry about. The article does provide some nice guidance that any business should consider: “By knowing our competitors’ business goals, strengths and weaknesses, we can arrive at ways to reduce their competitive advantage,” the report explains. “If attackers want to increase their profits, it is our job as their competitor to reduce their profits.”
Lessons from ATM Cash-Out Scheme in Japanhttp://www.bankinfosecurity.com/atm-a-9140
It took less than three hours. Approximately 1,600 counterfeit mag-stripe debit cards cloned from card data sto-len from Standard Bank accounts were used at 1,400 ATMs located in 7-Eleven convenience stores in Japan. Before anyone noticed the pattern, $19 million was stolen from the South African bank. Experts predict that we will continue to see more ATM cash-out thefts—it is the most direct route to stealing cash. It’s time for banks to fast-track ATM EMV card adoption, as well as implement multi-layered defense techniques to detect schemes like what just took place in Japan.
Core Tor Developer Who Accuses FBI of Harassment Moves to Germanyhttp://thehackernews.com/2016/05/tor-fbi-lovecruft.html
I’m a big fan of Tor and am always interested in hearing any news related to it. For some reason this article caught my eye. I sure would like to know why the FBI wants to talk with Isis Agora Lovecruft, one of Tor’s pri-mary software developers. What is the reason for the subpoena? With all the debate surrounding encryption and backdoors, it is not surprising that Lovecruft fears that she might be served with some kind of secret warrant.
Apple Is Hiring a Lawyer Who Specializes in Medical Privacy, Hinting at Bigger Health Tech Ambitionshttp://www.businessinsider.com/apple-hiring-hipaa-specialist-2016-5
Help Wanted: Seeking privacy counsel focused on HIPPA/Health who can work with company engineering teams as well as privacy aspects of acquisitions. It looks like Apple is ready to take more responsibility when it comes to HIPPA compliance (they previously turned to third-party app developers for that service). What’s ahead? Apple CEO Tim Cook predicts that one day the Apple Watch will be less of a smart watch and more of a sensor-packed medical device. It is nice to see that they are attacking privacy issues in the design stage rather than trying to fix things after the fact.
State Dept. Watchdog: Clinton Violated Email Ruleshttp://www.politico.com/story/2016/05/hillary-clinton-email-inspector-general-report-223553
It is official. According to a report by the US State Department inspector general, Hillary Clinton failed to comply with the agency’s policies on records while using a personal email server. The report also revealed that the agency suffers from “longstanding, systemic weaknesses” that are not confined to any one secretary of state—it’s not just a “Clinton problem.” How can we expect everyone to practice good cyber hygiene when our leaders engage in such risky behavior?
LinkedIn Is Latest Contributor to Breach Fatiguehttps://threatpost.com/linkedin-is-latest-contributor-to-breach-fatigue/118272/
How often do you change your passwords? Be honest, even security professionals are getting a little tired of constantly updating their “access codes” after each new breach. Although the LinkedIn hack occurred four years ago, thanks to “breach fatigue” some of the data that recently appeared for sale on the web may still be able to unlock accounts and cause a great deal of damage. Yes, we are all tired, but we still need to be on guard. Spread the word—change your passwords and change them often.
June 2016 | ISSA Journal – 9
Association News
Please Complete the ISSA/ESG SurveyIf you have not yet completed the ISSA/ESG research survey, please make your voice heard!
ISSA and Enterprise Security Group (ESG) have joined forces to level-set the progress of the cybersecurity profession in relation
to the world’s ever-escalating demand on the cybersecurity ecosystem. This first-of-its-kind survey is being designed for use by cybersecuri-ty professionals, governments, nongovernmental organizations, educational institutions, and the spectrum of businesses around the world that are increasingly dependent upon a reasonably secure data environment for the safe conduct of opera-tions.ISSA is asking all 10,000 members around the world to join in having the voice of the profession heard and take this opportunity to participate and ensure your perspectives are earmarked for development. All responses will remain confi-dential. Members will have secure access to the completed study and an executive summary will be available to nonmembers.
Register Today for the 2016 ISSA International Conference
This year’s conference program is full of engaging, interactive sessions exploring the theme—Survival Strategies in a Cyber World—all designed to help you
get your hands around some of the digital world’s hottest top-ics.Don’t miss out. Register today! For information on sponsorship opportunities, click here.
CSCL Pre-Professional Virtual Meet-Ups
So, you think you want to work in cybersecurity? Not sure which way to go? Not sure if you’re doing all you need to do to be successful? Check out Pre-Profession-
al Virtual Meet-Ups to help guide you through the maze of cybersecurity.June 30: 4:00 pm - 5:30 pm EST. Cross Career Challenges: How To Move Into Security From Another Industry.
The CISO Executive Forum is a peer-to-peer event. The unique strength of this event is that members can feel free to share concerns, successes, and feedback in a
peer-only environment. Membership is by invitation only and subject to approval. Membership criteria will act as a guideline for approval. Save the date for our 2016 events:
Las Vegas, NV: July 31-August 1, 2016 Theme: Convergence: Securing the World around You
Dallas, TX: November 3-4, 2016 Theme: Big!
For information on sponsorship opportunities, click here.
Save the Date! Special Interest Group WebinarsWant to hear more from ISSA’s Special Interest Groups? Join free here!Women in Security SIGJune 13: 12:00 pm - 1:00 pm EST. Overcoming the Real Barriers to Women in Security. Security, Education, and Awareness SIGJune 15: 9:00 am - 10:00 am EST. 10 Things Disney Can Teach Us About Running a Security Awareness Program. Healthcare SIGJune 23: 12:00 pm - 1:00 pm EST. 3rd Party Risk Assess-ment for Healthcare Organizations. Financial SIGAugust 19: 1:00 pm - 3:00 pm EST. Impact of Compli-ance with Privacy Regulations.
10 – ISSA Journal | June 2016
ISSA Journal Scholastic Writing Award for Best Student Article
The ISSA Journal Editorial Advisory Board is inau-gurating an annual $1,000 ISSA Journal Scholastic Writing Award for the best article submitted by a
current college/university student. The submission period is now open and the Board will ac-cept articles until October 1, 2016. We encourage students to follow the published editorial calendar but will consider any submission that is focused on information security. The Board will select the best article that meets our profes-sional standards for publication and will feature it in the December 2016 issue of the ISSA Journal. Recipient must be attending an accredited college or university full time and actively pursuing a degree. Submit your article and proof of enrollment to [email protected] by October 1, 2016.Please review our editorial guidelines and the 2016 editorial calendar. Questions can be directed to [email protected].
2016 Fellows Cycle Open
Do you qualify for Senior Member, Fellow, or Dis-tinguished Fellow? The Fellow Program recognizes sustained membership and contributions to the pro-
fession. No more than one percent of members may hold Dis-tinguished Fellow status at any given time. Fellow status will be limited to a maximum of two percent of the membership. Nominations and applications are accepted on an annual cycle. Applications will be accepted until August 1, 2016, at 5:00pm Eastern Time. Apply today!
www.ISSAEF.org
ISSAEF Scholarships – Deadline Coming Up!
The application period for the 2016 ISSA Education Foundation scholarships is closing soon with three scholarships available:
• E. Eugene Schultz, Jr., PhD. Memorial Scholarship - $3,500
• General Fund Scholarship - $3,500• Shon Harris Memorial Scholarship - $2,000
Deadline for submission of completed applications and all supporting documentation is June 15th, 2016. Any ques-tions should be submitted to the chairman of the Scholarship Committee, Dr. Javier Torner at [email protected]. Click for application form.
ISSA CISO Virtual Mentoring Series
Learn from the experts! If you’re seeking a career in cy-bersecurity and are on the path to becoming a CISO, check out the schedule of upcoming presentations.
June 9: 1:00 pm - 2:00 pm EST: The 11th Information Secu-rity Domain - Building Relationships.
Strategic PartnersISSA International has entered into strategic partnerships
with a number of organizations that include cross-promotion of our mutual activities.
What is your Security Maturity Score?The Alliance for Performance Excellence is offering ISSA members a free Baldrige-based self-assessment through its partner ManageHub. Baldrige is the NIST program for performance excellence behind the Malcolm Baldrige Award. The Alliance for Performance Excellence is the pub-lic-private arm of Baldrige, bringing tools for quality im-provement and excellence to the private sector.
This self-assessment, named the Security Success Score, will allow ISSA members to assess the performance excel-lence of their security operations in light of NIST-based and Baldrige-based frameworks. The Security Success Score is suitable for any sized organization, with special emphasis on small and mid-sized organizations.
Companies showing improvements may qualify to receive an official award for quality improvement at the ISSA An-nual Conference.
Get Your Free Score Today: www.managehubsecurity.com.
Learn more about the Alliance at www.baldrigepe.org/alliance/.
June 2016 | ISSA Journal – 11
Legislative Impact: When Privacy Hides the Guilty Party
2-Hour live event Tuesday, June 28, 20169 a.m. US-Pacific/ 12 p.m. US-Eastern/ 5 p.m. London
Click here to register!
Increasingly legislation and regulation are becoming extremely important drivers for what information security professionals have to do, and the pace of delivery seems to be increasing wherever you work in the world today.
What are organizations’ and individuals’ approaches to what and how they do information security? How do we prioritize what is most important? What can we do to make compliance easier? How do we get our policies aligned with the differing regulatory environments across different jurisdictions? How do we deal with export controls (software and information)? In some cases the question might be – How do we stay out of jail? Join our industry experts to get their views on this topic and the questions around it.
Join the conversation! #ISSAWebConf
View the calendar of web conferences here. For sponsorship opportunities, click here.
The Open ForumThe Open Forum is a vehicle for individuals to provide opinions or commen-taries on infosec ideas, technologies, strategies, legislation, standards, and other topics of interest to the ISSA community. Open Forum articles are not intended for reporting news; they must provide insight, opinion, or com-mentary to initiate a dialog as to be expected from an editorial. Articles should be 700-800 words and include a short bio and photo. Please submit to [email protected]. Note that accepted articles may be eligible for CPE credits.
Chapter Events• June 8: “National Cyber Summit.” Von Braun Center.
For details and registration, click here.• June 14: “Cornerstones of Trust.” Crowne Plaza Foster
City. For details and registration, click here.• June 16: “Red Team/Blue Team Training Course.”
JJ Pickle Center. For details and registration, click here.Get your events published in the ISSA Journal and E-News. You will build chapter activities, and your sponsors will ap-preciate the extra publicity. Send your events with the follow-ing information in this exact format: Date, Chapter Name, Time, Location, Title, Speaker, Sponsor, and a hyperlink to Details and Registration. Email to [email protected]. For more ISSA and industry events, visit the ISSA Calendar.
Elevate Your Career with Writing Experience
As a security professional, you have unique and valu-able experiences, insights, and information that could positively impact infosec practitioners around
the world. Exchanging that wealth of knowledge in our ev-er-evolving field is vital in helping us all do our jobs better and achieve our individual career goals. Effective writing is an essential skill for achieving your career goals. Do you have an article in mind? Would you find it helpful to bounce your ideas off of other members and get their feedback?The Journal’s Editorial Advisory Board will match you with an experienced author as a resource to help you practice and refine your skills, communicate your knowledge, and raise your visibility and stature. Join Friends of Authors today, and let us know your interests and goals.
Looking to Begin or Advance Your Career?
The ISSA Career Center offers a listing of cur-rent job openings in the infosec, assurance, privacy, and risk fields. Visit the Career Cen-
ter to look for a new opportunity, post your resume, or post an opening. Among current 1,041 job listings you will find the following:• Security Systems Administrator – University of
Minnesota, Minneapolis, Minnesota• Security Analyst - SilverBull, Westport,
Connecticut• Senior Cyber Threat Intelligence Analyst –
Scope Group, Alexandria, Virginia• Information Security Response Specialist – First
Midwest Bank, Joliet, Illinois• Information Security Engineer – University of
Chicago, Chicago, Illinois• Security Engineer Cloud Security Automation –
Cambia Health, Portland, Oregon• Security Analyst (Penetration Tester) – Digital
Defense, Inc., San Antonio, Texas• Junior IA/Cybersecurity Analyst – Wyle, Pt.
Mugu, CaliforniaVisit our Career Center online for a full listing of job openings! Questions? Email Monique dela Cruz at [email protected]
12 – ISSA Journal | June 2016
When it comes to cybersecurity, being out of the loop is a dangerous place
Grow Professionally — Advance Your CareerISSA JournalLocal ChaptersWeb ConferencesCareer-Based Events
Special Interest GroupsInternational Conference
July 31–August 1, 2016Convergence: Securing the World Around You Las Vegas, Nevada
November 3–4, 2016Big!Dallas, Texas
The community of choice for international cybersecurity professionals.
CISO EXECUTIVE FORUM
For details visit: http://www.issa.org/?page=CISOhome
★ ★ ★ ISSA ★ ★ ELECTION ★ ★ 2016 ★ ★ ★
JUNE 6 – JUNE 24
2016 International Election Candidate Profiles
The election of the International Board of Directors will take place online June 6–24. From the following slate of candidates, you will select the following positions:
International PresidentFive International Directors
Eligible voters include General, CISO Executive, Lifetime, and assigned Corporate and Government
Organizational members as of June 6. Voting information will be sent to your primary email address
on file. Please update your member profile to ensure you receive your credentials. If you have questions
regarding your membership status, contact [email protected].
PresidentCandy AlexanderAndrea Hoy
Did you know that on average, among profession-al associations, from five to seven percent of the membership actually make the effort to vote?
That’s right! Less than 10 percent of the membership is de-ciding who will lead your association into the future. Vot-ing only takes a few minutes. Make your voice heard this year—and make a difference. The ISSA elections open at 8 AM Eastern Time on June 6, 2016 and will close 11:59 PM Eastern Time, June 24, 2016.
You should have received an email from [email protected]. The email contains your unique voter login URL and your unique login credentials. The email was sent to the primary email address we have on file for you. If you do not see this email in your in-box, please check your junk folder and/or spam filter for your login credentials. If you do not receive your credentials or need assistance, please contact Leah Lewis at [email protected] or call +1 866 349 5818 ext. 4082.
Mary Ann DavidsonRhonda FarrellGarrett D. FelixAlex GrohmannRobert Martin
DJ McArthurShawn MurrayStefano ZaneroDaniel Ziesmer
Five Director Positions
Your Vote Will Make a Difference
Profiles of each candidate can be found on the pages that follow.
2016 International Elec-tion Candidate Profiles
14 – ISSA Journal | June 2016
15JUNE 6 – JUNE 24(This information provided by the candidate who is solely responsible for the content.)(This information provided by the candidate who is solely responsible for the content.)
JUNE 6 – JUNE 24
President CandidateCandy AlexanderCISSP, CISMAs a recognized cybersecurity ex-pert, I have 25+ years of experience in the field. In order to keep this focused on the ISSA, I ask that you visit my LinkedIn profile to learn about my professional background. (https://www.linkedin.com/in/candyalexander). My commitment to ISSA is demonstrated by lifelong mem-bership, service on the ISSA International Board (overseeing Communications, the Journal, Marketing/Branding, and PR), and as the Chief Architect for the Cyber Security Career Lifecycle®. I was also the first President of the ISSA Education Foundation and continue to serve on the board. I’m a mem-ber of the New England and New Hampshire Chapters. I have received numerous awards: Professional of the Year, ISSA Honor Roll, Distinguished Fellow, and ISSA Hall of Fame.
Statement of GoalsDuring my tenure, I have earned a reputation for my passion and for getting things done through leading and working with teams. It is now time to take on the role of International President. Based on what I am seeing in the world around us, it is crucial for ISSA to increase its relevance. This needs to be accomplished through developing and implementing new innovative programs. It is time for ISSA to take a fresh ap-proach:•Demonstrate ISSA’s leadership and value by highlighting
our neutrality. We must remain neutral to all certifica-tion and educational organizations in order to provide our members the best experience. Partnering with all—exclu-sivity to none.
•Focus on ISSA’s core strength—professional support system. ISSA’s strength is in providing networking and knowledge-sharing opportunities that are unique to each individual. It is important to continue building services using the Cyber Security Career Lifecycle® and deliver through chapters.
•Develop innovative solutions. It may sound like a cliché, but we are a profession based on technology. I will reach out to chapters and members to understand their needs, and then implement innovative solutions to meet those needs. It is important to identify cutting-edge solutions to deliver knowledge-sharing opportunities for our members.
•Foster the community spirit. ISSA is the security profes-sion; we need to foster our community and celebrate it. We need to recognize our chapters and members who continue to give, while encouraging others to grow.
I urge you to make your voice and the voice of the profession heard by voting. I ask for your vote. Together we can make wonderful and exciting things happen.
President CandidateAndrea C. HoyCISSP, CISM, MBAAndrea Hoy is arguably one of the leading women in her profession. A former advisor to the Pentagon, receiving the Security Education Manager’s Award in 1991, she has worked on numerous committees in Washington, DC. Internation-ally she has assisted Fortune 20 corporations with establishing policies and procedures that comply with the European Union Privacy Directive, the Data Protection Act, and the Dutch Personal Data Protection Act.Since 1998, Andrea has served ISSA: International Board as Director, Vice President, and current President. She has dil-igently served at the chapter level: Orange County Chapter Program Director, Vice President, and eight terms as Presi-dent; and founding member of Ventura County Chapter. She initiated and founded the Financial SIG.In recognition for Andrea’s endless contributions and dedica-tion to the industry and profession, she has been awarded the ISSA’s Distinguished Fellow and is on the Honor Roll, as well as the YWCA Women in Leadership award.While on the International Board, she has spoken with many members across our truly global constituency. She under-stands that various geographic locations have unique necessi-ties and supported funding the EU Chapter Leaders’ Summit, which is a good model for other regions.
Statement of Goals•Expand ISSA’s international presence initially by targeting
underserved geographic regions•Membership recruitment initiatives for new cyber profes-
sionals- Establish and expand student chapters on campuses- Create and provide continued support to Cyber Chal-lenges and incorporate additional practice “cyber rang-es” (K-12, high school, and collegiate)
•Ensure that our Special Interest Groups (SIGs) reflect topics that serve to educate our international communities
•Expand and increase industry discounts for ISSA members for global industry conferences and information security training (i.e., RSA, Black Hat, CEIC)
•Continue to drive the formalization of our Strategic Alli-ances with additional professional organizations, broad-ening the cyber scope to include governance, privacy, and other elements.
As a past Presidential Advisor, as well as a CISO Executive Forum Task Force and Financial SIG founder, ISSA Orange County Chapter President for over eight years, and found-ing member of Ventura County, our 151st chapter, I hope you find it in your heart to allow me to continue to represent you and expand our association across the globe.
June 2016 | ISSA Journal – 15
★ ★ ★ ISSA ★ ★ ELECTION ★ ★ 2016 ★ ★ ★
★ ★ ★ ISSA ★ ★ ELECTION ★ ★ 2016 ★ ★ ★
JUNE 6 – JUNE 24(This information provided by the candidate who is solely responsible for the content.)(This information provided by the candidate who is solely responsible for the content.)
Director CandidateMary Ann Davidson Mary Ann Davidson is the Chief Security Officer at Oracle Cor-poration, responsible for Oracle Software Security Assurance. She represents Oracle on the Board of Directors of the Information Tech-nology Information Sharing and Analysis Center (IT-ISAC), and serves on the international board of the ISSA.
Statement of GoalsI have several goals I would like to pursue as a Director of ISSA International, one of which is in the area of regulatory impact. Many of us work in regulated industries; the rest of us soon may be as “cybersecurity legislation” becomes front and center in multiple countries. The degree to which we can leverage other’s experiences and knowledge in these areas helps us be smarter, faster. Without becoming lobbyists, we must nonetheless weigh in on public policy issues that affect us. Many regulators do not always understand the cost of mandated measures vs. tangible benefits of those measures. ISSA needs to “speak for the troops in the trenches” at the front lines of information security. We must also strengthen our pipeline by targeting univer-sities to recruit the next generation of practitioners for the “ISSA community of tomorrow.” We should also engage with universities to help instill in them the need for better security education in multiple disciplines such as computer science, computer engineering, and software engineering (and for that matter, business school curricula). We are handicapped as professionals by the degree to which the underlying IT infrastructure actually is designed and built as infrastructure. If we do not change our collective mind-set (in part via educational change), there are not enough IT se-curity professionals in the world to secure critical IT-based infrastructure any more than training more doctors will stem a plague. Further, cybersecurity is a function in support of larger business objectives, since business is about assuming risk and there is—alas—a paucity of understanding the sys-temic risk that the increase in IT-based systems can pose.Ultimately, good public policy has to be implemented by the people doing the work. Improving the “inputs” to our pro-fessional lives—new recruits who can bring their educational experiences to us; better, more robust software and hardware engineered for today’s threats—will enable better “outputs”—defensible, robust cyber infrastructure.
Director CandidateRhonda FarrellDr. Rhonda Farrell is an associ-ate with Booz Allen Hamilton, primarily focusing on lifecycle activities as they relate to cyberse-curity infrastructures within the IC, DoD, and federal civilian mar-kets. Her prior career experience includes supporting operations, engineering, information securi-ty, and training initiatives within Fortune 500 companies throughout Silicon Valley, California, and the US Marine Corps at Quantico, Virginia. Her educational background includes a BS in Business Ad-ministration (1999), an MBA in Strategic Management (2000), a JD (Technology focus – 2009), and a Doctorate of Science in Information Assurance (2015).Her diverse professional memberships include decades of service to ISSA, the American Society for Quality (ASQ), In-stitute of Electrical and Electronic Engineers (IEEE), and the Women Marines Association.She has served on the ISSA International Board of Directors since 2014, as a chapter officer since 2010, and as a chapter member, contributor, or committee member since 2003. She is currently a Fellow within the organization.Over the last two years, as a member of the ISSA Internation-al Board of Directors, she has worked tirelessly to actively en-gage members and community participants from across the globe in special interest group (SIG) growth and centraliza-tion efforts; helped develop and pilot the mentoring working group for chapters, members, students, and faculty; promul-gated planning and governance best practices at the board and chapter level; while seeking to create and instill a culture of performance excellence and service to one another and the profession. Lastly she continues to focus on automation and infrastructure activities that enable efficiencies across the Cyber Security Career Lifecycle (CSLC) program offerings, while expanding ISSA International strategic partner offer-ings and the Women in Security SIG internationally.
Statement of Goals•Full centralization and growth of the core SIG offerings
within industry and worldwide•Expansion of the pilot Mentoring working group to in-
clude chapter and international participants•Strengthened strategic partner offerings that expand pro-
fessional development opportunities across the five popu-lation strata of the CSLC
Rhonda seeks your vote to continue working both domes-tically and internationally in the areas of performance ex-cellence, holistic development of the security practitioner, industry partner integration, as well as continuance of all SIG-related growth initiatives, within a framework of height-ened governance, strategic alignment, and service to the pro-fession.
16 – ISSA Journal | June 2016
17JUNE 6 – JUNE 24(This information provided by the candidate who is solely responsible for the content.)(This information provided by the candidate who is solely responsible for the content.)
JUNE 6 – JUNE 24
Director CandidateGarrett D. FelixMS, CISSPGarrett currently oversees the glob-al privacy and information securi-ty strategy as Privacy Officer and Information Security Officer for EXOS|MediFit. Garrett has been a member of ISSA since 2005 and be-came a CISO Executive Member in 2007. He has served in various leadership capacities at the in-ternational, national, and local levels within the association. In December 2015, Garrett was appointed to fill a Director vacancy with the ISSA International Board, after serving four years on the ISSA CISO Advisory Council. Prior to that, he served three years as president of the Central PA Chapter. In 2014, Garrett was recognized as an ISSA Fellow. Additionally, he is currently a member of the Delaware Valley Chapter. Garrett has further contributed to various ISSA projects, webcasts, presenting at the ISSA International Conference and via the Cyber Security Career Lifecycle™ Pre-Professional Meet Up. In addition to his involvement in other information security industry events, he has also been a frequent speaker on security and privacy issues impacting the Health, Fitness and Wellness Industry.
Statement of GoalsISSA has provided me, as I am sure the majority of our mem-bership, with access to a vast industry network of colleagues willing to share their experiences, successes, challenges, and expertise to help each other find ways to solve similar prob-lems we face each day as cybersecurity professionals. In December 2015, I stepped down from the ISSA CISO Ad-visory Council when I was asked and accepted an appoint-ment to fill the remainder of a vacated Director term on the International Board. During this short time I have assisted ISSA in taking appropriate steps to protect ISSA Intellectual Property, as well as begin looking at ways in which we can expand the value of the organization as a true, international association. As such, I feel the work that I am just beginning will not be able to be truly accomplished and realized in the short period allotted from filling the vacancy. In addition to the work that is underway, I will continue to support and drive international association objectives that will further develop and leverage cybersecurity resources in order to enhance the industry-leading value that ISSA can bring to our world-wide membership, the global information security community, and the next generation of information security professionals as a whole.
Director CandidateAlex GrohmannAlex Grohmann has been a driving force in the information security community of Northern Virginia Chapter (NOVA) and would like to continue serving the members of ISSA at the international level. Alex has been an active and con-tributing member of the local ISSA chapter board for over a decade and has held various roles including public relations, programs, president, and is cur-rently the president emeritus of the chapter. During Alex’s three years as president, the membership increased 11 per-cent to over 530 members, sponsorship quadrupled, and av-erage meeting attendance regularly surpassed 120 attendees. He founded a Toastmasters chapter within the chapter to help promote public speaking for technology professionals. As a direct result of these efforts, NOVA was recognized as Chap-ter of the Year in 2014.Mr. Grohmann’s efforts also strengthened the local securi-ty academic community. For example, funding for NOVA’s main scholarship, the Laurie McQuillen/Ed Hetsko memo-rial fund ($25,000), was fully endowed. Additional yearly grants of $5,000 were also distributed. Working with three local universities, he created a mentoring program. He also created a relationship with the Pete Conrad Foundation/Spirit of Innovation awards, positioning the chapter to be the exclusive Challenge Partner for all of the international high school teams competing in cybersecurity. Mr. Grohmann also served on the Washington, DC, InfraGard board for many years and is a graduate of the respected FBI Citizens’ Academy. He is currently a member of the cybersecurity committee within the Northern Virginia Technology Coun-cil, as well as Northern Virginia Community College’s Work-force Affinity Group. As an independent security consultant with over 20 years of experience, Mr. Grohmann currently concentrates his efforts mainly in financial services but also recently in the energy sector. In 2014 he was awarded the Fellow status by ISSA and in 2015 he entered the Honor Roll.
Statement of Goals1. Strengthen relationships between International and the
individual chapters to provide guidance and consistently improve communications
2. Build upon the existing ISSA efforts in the workforce and education development areas, including the Cyber Security Career Lifecycle, to ensure they meet the needs of the next generation of security professionals.
3. Promote new and improved information sharing forums for security professionals, leveraging the ISSA organiza-tion.
Any consideration of Alex’s interest to serve on the interna-tional ISSA board would be appreciated.
June 2016 | ISSA Journal – 17
★ ★ ★ ISSA ★ ★ ELECTION ★ ★ 2016 ★ ★ ★
★ ★ ★ ISSA ★ ★ ELECTION ★ ★ 2016 ★ ★ ★
JUNE 6 – JUNE 24(This information provided by the candidate who is solely responsible for the content.)(This information provided by the candidate who is solely responsible for the content.)
Director CandidateRobert MartinCISSPRobert Martin has over 12 years of experience working in the infor-mation security field. He is a Se-curity Engineer for Cisco Systems, Inc. in RTP, NC. Robert specializes in areas such as risk management, regulatory com-pliance, security solutions architecture, security audits, vul-nerability assessments, and penetration testing. From 2012-2015, Robert served as president of the Raleigh Chapter. During that time, the chapter membership grew at a rate of 125 percent. Currently, Robert serves on the Raleigh board as the Sponsorships Director. Robert is committed to serving the community through outreach by expanding the chapter’s mission to students and military. He has held sever-al other IT security advisory board positions over the years with a focus to bring about awareness of information security threats in an ever-changing global IT security economy.
Statement of Goals1. Create greater synergy between the ISSA International
Board and the local chapters.2. Create an ISSA international information sharing platform
so all ISSA chapters can share successful programs for membership growth/retention, annual conferences, and chapter events.
3. Create programs to attract new information security pro-fessionals from universities and technical colleges.
4. Create a speaking circuit of information security lumi-naries to present at local ISSA chapters and conferences to drive attendance and chapter growth.
Director CandidateDJ McArthurCISSP, HiTrust CCSFP, EnCE, GCIH, CEH, CPTDJ McArthur currently manages the data security department for one of Colorado’s largest health-care providers, Centura Health. He served in the US Marines Corps, holds a degree in information sys-tems security, is currently pursuing an MBA in IT administration in health care, and has served in previous roles as a data security architect and network se-curity engineer. Prior to the healthcare industry he has spent over 10 years in other verticals such as the Department of Defense, ener-gy, construction, infrastructure, transportation, and archi-tectural industries where he held various security roles and responsibilities. He has been an active member of the ISSA for over ten years, is currently the Director of Communica-tions and has held various ISSA board positions for the local Denver Chapter over the last six years while helping plan and coordinate the Rocky Mountain Information Security Con-ference (RMISC).
Statement of Goals1. Continue to promote education and awareness of informa-
tion security-related issues and trends out to the commu-nity abroad.
2. Utilize the skills and lessons I have learned from serving at a local chapter level up to the International Board to bet-ter serve the chapters and help with the challenges they are facing today.
3. Ensure student members, mentors, and special interest groups have good support at the international level.
4. Continue to proudly represent myself as an ISSA member and any other duty, position, or honor bestowed upon me by the ISSA members and the community.
18 – ISSA Journal | June 2016
19JUNE 6 – JUNE 24(This information provided by the candidate who is solely responsible for the content.)(This information provided by the candidate who is solely responsible for the content.)
JUNE 6 – JUNE 24
Director CandidateShawn P. MurrayC|CISO, CISSP, CRISC, FITSP-A, C|EIShawn Murray is a Principal Scien-tist with the United States Missile Defense Agency currently assigned as a Senior Cyber Security Profes-sional and is an officer in the US Civil Air Patrol. His previous as-signments include work with the US Army Cyber Command in Europe, US Air Force, and with commercial industry in various roles in information assur-ance and cybersecurity. He has traveled the globe performing physical and cybersecurity assessments on critical national defense and coalition systems. Dr. Murray has worked with NSA, FBI, CIA, and the US Defense and State Departments on various cyber initiatives and has over 20 years of IT, com-munications, and cybersecurity experience. He enjoys teaching and presenting as a guest lecturer on cy-bersecurity, business, and computer science courses for sev-eral universities. He has several industry recognized certifi-cations to include the C|CISO, CISSP, and CRISC. He holds several degrees to include an Applied Doctorate in Computer Science with a concentration in Enterprise Information Sys-tems. He is an ISSA Executive CISO member and chapter board member. He is also a professional member of IEEE, ACM, (ISC)2, and is an FBI Infragard program partner. He enjoys spending time traveling with his family, researching and collaborating with other professionals in cybersecurity and cyber law, and volunteers in his community as a soccer coach.
Statement of GoalsAs a practitioner and educator I am passionate about the cur-rent and future state of cybersecurity as well as collaborating with the people who lead the charge in this profession. As a Director on the international board, I would continue my service and represent the best interest of our international members and work with other international board members to steer ISSA into the future. I bring forth extensive experi-ence applying information security concepts and educating future cybersecurity professionals expected to fill widening gaps in our career field. My goals for my term include: Working to find solutions to address gaps in skill sets to address shortages while educating new professionals in ethical standards required to maintain credibility and trustworthiness; and working to find ways to bring additional value to our membership and to identi-fy ways to bring in new members. Additional goals include working to identify resources for outreach programs and cer-tifying new members in the profession internationally. I will be the voice of our members!
Director CandidateStefano ZaneroI received a PhD degree in Comput-er Engineering from the Politecni-co of Milano University. Currently, I am an Associate Professor at the Dipartimento di Elettronica, In-formazione e Bioingegneria of the same university. I have been a speaker at interna-tional scientific and technical conferences, including the Black Hat briefings, CanSecWest, DeepSec, and Hack in the Box. I have authored or co-authored over 60 peer-reviewed papers. I am a senior member of the IEEE (Institute of Elec-trical and Electronics Engineers) and the IEEE Computer Society, for which I am currently serving in the Board of Governors. I am also a lifetime senior member of the ACM (Association for Computing Machinery).I am a founding member of the ISSA Italy Chapter and have served as an International Director over the past eight years. I have been named a Fellow of our association.In 2004 I co-founded Secure Network, a high-profile infor-mation security training and consulting company based in Milan. In 2010 I co-founded 18months, a startup delivering in-the-cloud mobile, social-enabled ticketing solutions. In 2015 I co-founded a stealth-mode startup in the fintech sector.
Statement of GoalsOver the past years, I have dedicated most of my volunteer time to build and grow (with the help of countless great ISSA volunteers whom I cannot thank enough) our association’s International Conference. If elected, I will continue devoting time to the development of the event. I believe that ISSA can grow strongly outside of the United States, and if elected, I plan to devote my attention to mem-bership development in the EU area. As the European Com-mission is currently funding the security area within the Horizon2020 plan, ISSA could and should be a trusted source and partner for security initiatives at the Commission level.I am also a strong believer in partnerships, and I have helped the ISSA board to reach out to the IEEE and the Computer Society. We need improved cooperation with our (ISC)2 col-leagues to better serve our respective members..I strongly believe that we are still under-exploiting the net-working potential of ISSA, and we will need to figure out over the next two years how to evolve, connect, and integrate our chapters and members.Finally, I think ISSA is still missing out on the younger mem-bers of the profession, in particular those starting from a technical approach. I think that ISSA can grow in its standing if it helps bridge the gap between seasoned professionals and managers and young, bright thinkers with potentially novel solutions in their minds. We need to be present in colleges and universities and to develop mentoring programs that al-low student members to become better professionals.
June 2016 | ISSA Journal – 19
★ ★ ★ ISSA ★ ★ ELECTION ★ ★ 2016 ★ ★ ★
★ ★ ★ ISSA ★ ★ ELECTION ★ ★ 2016 ★ ★ ★
JUNE 6 – JUNE 24(This information provided by the candidate who is solely responsible for the content.)
Director CandidateDaniel ZiesmerAnd last, but not least (assuming ISSA listed us alphabetically)…In a year that is already replete with election campaigns and politics, I will spare you promises that can-not be kept, demands that cannot be fulfilled, and assurances that would surely ring hollow. Instead I will speak simply, and plainly.Today I like to think of myself as an experienced risk manage-ment and cybersecurity professional, but I fully understand and know what it means to start at the bottom of a career ladder, working to build the knowledge, skills, and abilities to make that next step, and do so successfully. ISSA is an organi-zation that provided me with opportunities to better interact with my peers and those who had advanced in their careers before me. It provided me a chance to transition my career, and at the same time reach out a hand and help those who were behind me. This organization is unique because we’re not trying to sell something, and we’re not asking for any-thing in return… that is a noble effort I want to continue. My work as a former (and still part-time) educator and men-tor perhaps most drives my desire to serve on the board: to carry forward a spirit of service and servant leadership. In fact, I chose to run this year because I heard from so many of you—whether unaffiliated professionals, new members, long-standing associates, or even vendors—that what you felt was most missing on the board was “a voice.” My purpose is to be a conduit that carries your ideas, needs, and goals into the board discussion, driving change that aligns with ISSA’s vision and mission, but also broadens the organization’s out-reach and horizons as we look to the future.As a former manager of a non-profit, as well as prior board director/president for other non-profit organizations, I have a unique appreciation of the complexities behind an operation that seems to go smoothly, and the challenges of satisfying a constituency. ISSA can appear as a deceptively simple orga-nization, but it requires planning, organization, and careful management. My experiences provide me with the insights to make a distinctive contribution in this regard.As we look to the future, the future of ISSA will be inextrica-bly linked to the future of risk management and cybersecu-rity. For many, that future is described using words ranging from “exciting” and “challenging” to “difficult” and “terrify-ing.” But the future is not certain…we can shape that future, and we need strong organizations like ISSA that don’t just support our professional needs, but provide leadership and vision for businesses, government, and industry.If you would like to learn more about me, visit my website at www.ziesmer.org, which includes a more detailed biogra-phy for your perusal. In addition, I encourage you to contact me directly at [email protected] if you have any specific questions or inquiries. Thank you for your vote.
[email protected] • WWW.ISSA.ORG
ISSA Journal 2016 CalendarPast Issues – click the download link:
JANUARY Securing the Cloud
FEBRUARY Big Data / Data Mining & Analytics
MARCH Mobile Apps
APRIL Malware Threat Evolution
MAY Breach Reports –
Compare/Contrast
JUNE Legal, Privacy, Regulation
JULY Social Media Impact Editorial Deadline 5/22/16
AUGUST Internet of Things
Editorial Deadline 6/22/16
SEPTEMBER Payment Security
Editorial Deadline 7/22/16
OCTOBER Cybersecurity Careers & Guidance
Editorial Deadline 8/22/16
NOVEMBER Practical Application and Use of Cryptography
Editorial Deadline 9/22/16
DECEMBER Security ArchitectureEditorial Deadline 10/22/16
January 2016Volume 14 Issue 1
Promoting Public Cloud Workload Security: Legal and Technical Aspects
Gaining Confidence in the CloudWhy Risk Management Is Hard
Securing the Cloud
SECURING THE CLOUD
Promoting Public Cloud Workload Security: Legal and Technical Aspects
You are invited to share your expertise with the association and submit an article. Published authors are eligible
for CPE credits.
For theme descriptions, visit www.issa.org/?CallforArticles.
20 – ISSA Journal | June 2016
JUNE 6 – JUNE 24
Whether or not there’s honor among thieves, the reality is they cooperate. Cybercriminals are joining forces to strategize and launch new attacks. Encrypted chat rooms. Social media. Multinational syndicates.
Today the need is more vital than ever: the good guys must band together. Collaboration and information sharing is the key to snuffing out threats.
That’s what we’re uniquely about.
SecureWorld conferences connect you to like-minded pros in your local community, giving you invaluable access to practitioners, thought leaders, and vendors. Distilling the global complexities of cybersecurity down to your city, your network, your shot at a decent night’s sleep.
Don’t go it alone. Register for a SecureWorld event near you.
SecureWorld. See globally. Defend locally.www.secureworldexpo.com
www.secureworldexpo.com
Beyond our conferences, we help you stay connected and informed year-round. SecureWorld Media is your premier source of cybersecurity content—including breaking industry news, original articles and research, expert interviews, exclusive web conferences, and CPE training courses.
Visit us today to sign up for digital events and subscribe to the SecureWorld POST e-newsletter.
Shaping the conversation
June 1-2 June 9 September 8 September 14-15 September 27-28 October 5-6 October 18-19 October 27 November 9-10
AtlantaPortland
CincinnatiDetroitDallas
DenverSt. LouisBay Area
Seattle
SECU0185_ISSA_Mag_Ad_03-22-16.indd 1 5/18/2016 9:09:01 AM
ISSA DEVELOPING AND CONNECTING CYBERSECURITY LEADERS GLOBALLY
Preparing for New Electronic Communication Privacy Laws
Preparing for New Electronic Communication
Privacy Laws
22 – ISSA Journal | June 2016
AbstractAs various states, and possibly the federal government, up-date their electronic privacy laws, government entities have had to adapt to new rules while conducting criminal inves-tigations. Private companies also need to keep updated and adapt to these new laws in order to respond properly to search warrants and to protect the company’s interests by updating user agreements when the company issues electronic devices to its employees. The California legislature has recently en-acted the California Electronic Communication Privacy Act and many states are set to follow with their own electronic privacy laws.
Introduction
In 1986, Congress enacted the Electronic Communica-tion Privacy Act (ECPA)1 in response to the fact that records that were kept on paper for centuries were now
being stored electronically and were found on disks, comput-ers, and other electronic devices. Although ECPA has been updated on a few occasions (CALEA, USA PATRIOT, etc.),
1 18 U.S.C. §§2510-22.
the reality of the technological advances experienced in the last thirty years has resulted in the call for an overhaul of ECPA. Similarly, a strong interest has risen in state legisla-tion designed to protect the privacy rights of individuals and companies from governmental intrusion.2 On October 8, 2015, California Governor Edmund Gerald “Jerry” Brown, Jr. signed into law Senate Bill 178, the Cali-fornia Electronic Communications Privacy Act (Cal-ECPA),3 which went into effect on January 1, 2016. Cal-ECPA requires law enforcement to seek judicial approval (typically through a search warrant or a wiretap order) before obtaining electron-ic communication and device information. It also requires strict adherence to the specificity requirements of the Fourth Amendment as well as sealing and notification procedures. Furthermore, it provides for strong exclusionary remedies if law enforcement agents violate any of the requirements. The stated goal of Cal-ECPA’s authors is to treat electronic evi-dence similar to other types of evidence that can be obtained
2 See e.g., Virginia Senate Bill 599 (Introduced January 13, 2016); New Mexico Senate Bill 154 (Introduced January 20, 2016); New York Assembly Bill No. A09235 (Introduced February 4, 2016); Minnesota H.F. 2668 (Introduced March 8, 2016).
3 Cal. Penal Code §§ 1546, 1546.1, 1546.2, 1546.3, 1546.4. All further section references are to the California Penal Code unless specifically stated otherwise.
The California legislature has recently enacted the California Electronic Communication Privacy Act and many states are set to follow with their own electronic privacy laws. After a brief introduction to Act and the broad definitions within it, this article will focus on issues that impact private businesses and corporations.
By Rouman Ebrahim – ISSA member, Los Angeles Chapter
HYATT REGENCY | DALLAS, TEXAS NOVEMBER 2-3, 2016
SAVE THE DATEFEATURING:* 800+ Attendees Expected60 Sessions | 7 Tracks | CPEsUp to 100 ExhibitsCareer Counseling & Networking CenterCyber Defense CenterInternational AwardsISSA Party in the Sky CISO Executive Forum
*Subject to change.
Information Systems Security Association | www.issa.org | 866 349 5818 USA toll-free | +1 206 388 4584 International
• Compel the production of or access to electronic device information from any person or entity other than the au-thorized possessor of the device
• Access electronic device information by means of physical interaction or electronic communication with the elec-tronic device; this section does not prohibit the intended recipient of an electronic communication from voluntari-ly disclosing electronic communication information con-cerning that communication to a government entity5
Cal-ECPA states that a government entity may compel such production and access to electronic information pursuant to a search warrant, a wiretap order, or an order for electronic reader records.6 In other words, before accessing such infor-mation, the government entity has to show probable cause to a judge. If the evidence at issue involves accessing electronic device information by means of physical interaction or elec-tronic communication with the device, in addition to the above methods, a government entity may also access them as follows:• With the specific consent of the authorized possessor of
the device• With the specific consent of the owner of the device, only
when the device has been reported as lost or stolen• If the government entity, in good faith, believes that an
emergency involving danger of death or serious physical injury to any person requires access to the electronic de-vice information
5 §1546.1(a). 6 §1546.1(b)
only through a search warrant. For example, one of the au-thors of the law, California State Senator Mark Leno, stated that there is no reason a letter sitting in a drawer at one’s res-idence should get more protection than communications in an email or text.4
Although this law only applies to California state-level law enforcement, a number of other states are in the process of passing their own updated electronic privacy laws. Further-more, even though such statutes are designed to limit and control conduct by law enforcement, certain requirements of these statutes can impact private companies such as com-munication service providers and any companies that issue electronic devices to their employees for use in their opera-tions. After a brief introduction to Cal-ECPA and the broad definitions within it, this article will focus on issues that im-pact private businesses and corporations. This article is not in any way meant to be construed as legal advice. Rather, it is intended as a guide for private organizations to be aware of the impact of this law and to be prepared.
A quick primer on Cal-ECPAA government entity shall not . . .In short, Cal-ECPA states that a government entity shall not do any of the following:• Compel the production of or access to electronic commu-
nication information from a service provider
4 “For what logical reason should a handwritten letter stored in a desk drawer enjoy more protection from warrantless government surveillance than an email sent to a colleague or a text message to a loved one?” Statement from State Senator Mark Leno, http://sd11.senate.ca.gov/news/2015-06-03-senate-passes-leno-bill-modernize-digital-privacy-protections.
June 2016 | ISSA Journal – 23
Preparing for New Electronic Communication Privacy Laws | Rouman Ebrahim
HYATT REGENCY | DALLAS, TEXAS NOVEMBER 2-3, 2016
SAVE THE DATEFEATURING:* 800+ Attendees Expected60 Sessions | 7 Tracks | CPEsUp to 100 ExhibitsCareer Counseling & Networking CenterCyber Defense CenterInternational AwardsISSA Party in the Sky CISO Executive Forum
*Subject to change.
Information Systems Security Association | www.issa.org | 866 349 5818 USA toll-free | +1 206 388 4584 International
• If the government entity, in good faith, believes the device to be lost, stolen, or abandoned, provided that the entity shall only access electronic device information in order to attempt to identify, verify, or contact the owner or autho-rized possessor of the device7
Specificity and sealing of irrelevant informationGiven the incredibly large amount of information that may be found in an individual’s electronic devices as well as other lo-cations where electronic information may be stored (emails, texts, remote storage, etc.), another goal of Cal-ECPA is to re-quire law enforcement to specifically state what information they are seeking and state the reason why they believe such information would be found by a search. Traditionally, law enforcement agents have written warrants to seize all devic-es and then have gone through as much, or as little, as they wished in order to obtain the relevant information. Mean-while, they would gain access to much more than what they were looking for at the expense of the privacy of the target of the warrant. In order to stop law enforcement from hav-ing access to irrelevant information, Cal-ECPA requires that a warrant “describe with particularity the information to be seized by specifying the time periods covered, and as appro-priate and reasonable, the target individuals or accounts, the applications or services covered, and the types of information sought.”8
Naturally, given the amount of information available, it is likely that even a very specific search may still give law en-
7 §§1546.1(c)(3)-(6)8 §1546.1(d)(1)
forcement access to more information than what they had originally sought. For example, a search warrant allowing law enforcement to see all emails of an individual accused of embezzling money from a company during a three-month period will likely expose many other emails that were not intended to be seen by the warrant. To deal with this issue, Cal-ECPA states that a warrant must require “any informa-tion obtained through the execution of the warrant that is unrelated to the objective of the warrant…be sealed and not subject to further review, use, or disclosure without a court order.”9
Service providers should be aware that in their response to a warrant, they will be required to provide an affidavit veri-fying the authenticity of the electronic information they are producing.10 In case the electronic information is used in a ju-dicial hearing in California (trial, preliminary hearing, grand jury proceedings, etc.), such compliance will result in the self-authentication of the records for a judicial hearing. That means the service provider will, most likely, not be required to send a witness to that hearing to authenticate the records. Most states have similar laws regarding self-authentication of electronic records.
Notification requirementIn a “brick and mortar” warrant, law enforcement must abide by the “knock-and-announce” requirement. They knock on the door and clearly state the name of their agency and the fact that they have a warrant. Upon entry, they generally will provide a copy of the warrant to one or more of the residents. Cal-ECPA extends the “knock-and-announce” rule to elec-tronic information:
…any government entity that executes a warrant, or ob-tains electronic information in an emergency…, shall serve upon, or deliver to by registered or first-class mail, electronic mail, or other means reasonably calculated to be effective, the identified targets of the warrant or emer-gency request, a notice that informs the recipient that in-formation about the recipient has been compelled or re-quested, and states with reasonable specificity the nature of the government investigation under which the informa-tion is sought.11
If the investigator can make a showing to the judge issuing the warrant that an “adverse result”12 may occur if the target of the investigation is notified of the warrant, the judge can issue an order delaying notification for up to 90 days. At the expiration of the period, the target of the warrant has to be notified. However, the investigator may return to the court and ask for another delayed notification order and, if such a showing is made, the court can issue another delayed no-tification order for up to another 90 days. There is no limit
9 §1546.1(d)(2)10 §1546.1(d)(3)11 §1546.2(a)12 “Adverse result” means “danger to the life or physical safety of an individual,” “flight
from prosecution,” “destruction of or tampering with evidence,” “intimidation of potential witnesses,” or “serious jeopardy to an investigation or undue delay of a trial.” §1564(a).
Don’t Miss This Web Conference!Legislative Impact: When Privacy
Hides the Guilty Party2-Hour Live Event: Tuesday, June 28, 2016
9 a.m. US-Pacific/ 12 p.m. US-Eastern/ 5 p.m. London
Increasingly legislation and regulation are becoming extremely important drivers for what information security professionals have to do, and the pace of delivery seems to be increasing wherever you work in the world today.
Join our industry experts to get their views on this topic and the questions around it.
REGISTER TODAY!
For more information on this or other webinars:ISSA.org => Web Events => International Web Conferences
24 – ISSA Journal | June 2016
Preparing for New Electronic Communication Privacy Laws | Rouman Ebrahim
as to how many times such a delay can be sought. When the investigation is over, or whenever the court refuses to grant another delay request, the investigator has to follow the noti-fication requirements in Section 1546.2(a).13
DefinitionsTo truly understand the far reach of Cal-ECPA, it is im-portant to review the definitions that it provides. Some are self-explanatory but many are very broad and can be reason-ably expanded to reach unexpected results. This section con-centrates on the definitions in Cal-ECPA that may potentially impact private companies.Electronic communication service (ECS) – “a service that provides to its subscribers or users the ability to send or re-ceive electronic communications, including any service that acts as an intermediary in the transmission of electronic communications, or stores electronic communication infor-mation.”14.Electronic communication – “the transfer of signs, signals, writings, images, sounds, data, or intelligence of any nature in whole or in part by a wire, radio, electromagnetic, photo-electric, or photo-optical system.”15
Electronic communication information (ECI) – “any infor-mation about an electronic communication or the use of an electronic communication service including, but not limited to, the contents, sender, recipients, format, or location of the sender or recipients at any point during the communication, the time or date the communication was created, sent, or re-ceived, or any information pertaining to any individual or
13 §1546.2(b)14 §1546(e)15 §1546(c)
device participating in the communication including, but not limited to, an IP address.”16
Electronic device information (EDI) – “any information stored on or generated through the operation of an electronic device, including the current and prior locations of the de-vice.”17
Electronic device – “a device that stores, generates, or trans-mits information in electronic form.”18
Authorized possessor – “the possessor of an electronic de-vice when that person is the owner of the device or has been authorized to possess the device by the owner of the device.”19
Specific consent – “consent provided directly to the govern-ment entity seeking information including, but not limited to, when the government entity is the addressee or intended recipient or a member of the intended audience of an elec-tronic communication. Specific consent does not require that the originator of the communication have actual knowledge that an addressee, intended recipient, or member of the spe-cific audience is a government entity.”20
Expectation of privacy and standing to object to a searchCal-ECPA has created numerous obstacles for criminal in-vestigations and prosecutions. Perhaps the most problematic of these obstacles is the change in requirement of who has the right to object to a search. Historically, a defendant in a criminal case has been able to object to the search and sei-zure of an item only when the defendant could demonstrate a reasonable expectation of privacy in the item. For exam-
16 §1546(d)17 §1546(g)18 §1546(f)19 §1546(b)20 §1546(k)
June 2016 | ISSA Journal – 25
Preparing for New Electronic Communication Privacy Laws | Rouman Ebrahim
in their best interest to closely study Cal-ECPA and keep up-dated on the judicial interpretations and legislative fixes that are virtually certain to come about in the next few months and years. These companies should also keep an eye on their respective states’ constantly changing privacy laws.
What is an electronic device?Many companies issue cellular phones and laptops to their employees for work purposes. Clearly, such items meet the description of “electronic device” in Cal-ECPA. However, as defined in Cal-ECPA, many more devices may fit within that definition. Most delivery service personnel now carry devices where information about the delivery is immediately entered into the employer’s database. Tracking devices on automo-biles used to keep track of a company’s employees while in the field would also fit within the definition of “electronic device.”Company credit cards are often issued to employees for var-ious business use purposes. Most of us would not consider company credit cards to be an electronic device. But a legally valid argument can be made in favor of categorizing a cred-it card as an electronic device under Cal-ECPA. As stated above, an electronic device is a device that stores, generates, or transmits information in electronic form. Whether the card uses a magnetic stripe and/or a chip, the card is, at least, storing information in electronic form. It could also be ar-gued that when it is being used in a transaction, it is generat-ing and transmitting information. The chip generates a signal that is used for authentication and the transaction requires the card to transmit information to a POS terminal. The word “device” is defined as “a piece of equipment or a mechanism designed to serve a special purpose or function.”23 In Anglo-American legal practice, the first, and most im-portant, factor in interpreting the intent of a statute is the plain meaning of the language used by its drafters. Given the above logic, company-issued devices such as phones, laptops, tablets, tracking devices, and even credit cards can qualify as “electronic devices” under Cal-ECPA. The importance of such an interpretation comes in how Cal-ECPA treats and differentiates between authorized possessors and owners of electronic devices.
The “authorized possessor” vs. “owner” issueThe definition of “authorized possessor” in Cal-ECPA seems to give equal rights over the device to the owner of the device as well as the person who has been authorized to possess the device.24 However, when it comes to the ability to consent to governmental access to the device, Cal-ECPA gives priority to the possessor of the device. An authorized possessor of a device can give specific consent to a government agency to access the device. However, the owner of the device can only give specific consent when the device has been reported as lost or stolen.25 This seemingly small differentiation can have
23 http://www.merriam-webster.com/dictionary/device (emphasis added).24 See fn. 19, supra. 25 Compare §1546.1(c)(3) with §1546.1(c)(4). See fn. 7, supra.
ple, in a situation where a digital device is found abandoned at a crime scene or a suspect throws away a device during a pursuit, the suspect in a court hearing could not object to the search and seizure of that device because he did not have an expectation of privacy.21 Cal-ECPA, however, discards the expectation of privacy requirement for searches of electronic information and allows “any person . . . [to] move to suppress any electronic information obtained or retained in violation of the Fourth Amendment to the United States Constitution or of [Cal-ECPA].”22
If a police detective finds an abandoned briefcase on the street, he may open it for safety purposes and search through its contents. If such a search leads to evidence of criminality by the owner of the briefcase, the owner would have a diffi-cult time objecting to the warrantless search of the briefcase because by abandoning the briefcase, he no longer has an ex-pectation of privacy. On the other hand, if the same detective finds an abandoned smartphone on the street, he cannot do a full search of the device. He may review it for the limited purpose of finding the owner or authorized possessor of the device. Any further searches would be open to a legal attack and suppression by the defendant who may have lost or aban-doned the phone. The search of the briefcase did not require probable cause because nobody would have the right to object to it. The search of the phone, however, would require a show-ing of probable cause in a search warrant application and without any further evidence, the detective would be hard pressed to find such probable cause. Another scenario where Cal-ECPA can create substantial obstacles to law enforcement is the fact pattern discussed in Notification Requirements above, discussing the differences between authorized posses-sors and owners.
Impact on private companiesAlthough such laws are specifically designed to control and limit the ways in which law enforcement can collect electron-ic information in criminal investigations, it is important for private companies to be familiar with them. There are many instances where familiarity with electronic communication privacy laws can be beneficial to a private company.
Are you an electronic communication service?In a majority of situations, the term “electronic communica-tion service” is going to refer to the traditional major pro-viders (Google, Yahoo, etc.). However, the broad definition of ECS in Cal-ECPA includes not only large and small tradition-al providers but also any companies that have set up in-house communication and storage such as company-wide intranets. Also, more companies are moving legacy applications and data to remote storage. Such companies, as well as third-party companies providing services such as software-as-a-service (SaaS) applications or platform-as-a-service (PaaS) offerings are subject to the requirements of Cal-ECPA, and it would be
21 See Katz v. United States, 389 U.S. 347 (1967). 22 §1546.4(a)
26 – ISSA Journal | June 2016
Preparing for New Electronic Communication Privacy Laws | Rouman Ebrahim
far reaching consequences in the investigation of crimes and who can and cannot cooperate with law enforcement, if they wish to do so.Let’s imagine a not so far-fetched scenario. A police detective has a strong suspicion to believe that an employee of Com-pany A has used his company-issued laptop to contact other individuals involved in planning a terrorist attack. The attack is not imminent, but the detective would like to stay ahead of any criminal activity. Also, at this point of the investiga-tion, the detective does not have sufficient probable cause to ask a judge for a search warrant. The detective approaches the owner of Company A and asks to access the employee’s lap-top. The owner of Company A states that he gives consent to the detective to access the laptop owned by Company A but in possession of the employee. The owner calls the employee into his office and tells him to bring his laptop. The employee appears at the owner’s office and when asked by the detective to turn over the laptop, he tells the detective that he does not give him consent to search and seize his laptop. He tells the detective to get a warrant.Given the wording of Cal-ECPA, the laptop owner’s consent is not sufficient to give the detective access to the laptop. There are a number of unanswered questions under Cal-ECPA. For example, what if the owner of Company A fires the employee and the employee now has to return the laptop to the owner? Would the owner be liable for unlawful termination since the employee’s termination was due to the employee exercising a statutory right?
What about BYOD?In a “bring your own device” (BYOD) situation, where com-panies allow their employees to access the company network by using their personal devices, the ability of the government to access the employee device remains unchanged. However, the ability of the government to access information obtained by the employee and transferred to the employer’s system through the use of an application provided by the employ-er is not as clear. So long as it is made clear to the employee
that any information that passes through the employer’s ap-plication, and thus transferred to the network run by the em-ployer, becomes the property of the employer and subject to voluntary disclosure to law enforcement, the employer should be able to consent to the information being shared with law enforcement. However, it is important that the employee be made aware of the consequences of using the employer-pro-vided application.Some of these questions may be answered based on the user agreement that the employee signed when the device was issued to him or when he or she agreed to use the compa-ny-provided application. Consequently, private companies should rethink their user agreements and draft those agree-ments in a manner that would protect the company’s best interests while complying with Cal-ECPA or any other elec-tronic privacy law.
ConclusionCal-ECPA has been in effect for only a few months. In the next few months and years, as its implementation in real-life situations proceeds and judicial decisions deal with its foggy areas, there should be more clarification. C-suites and own-ers of private companies must be aware of upcoming shifts and changes in the law. Numerous state legislatures are now considering passing similar laws. Although not all states may exactly duplicate Cal-ECPA, it is reasonable to assume that such new laws would be sufficiently similar so that prepa-ration based on Cal-ECPA would be prudent for all private companies regardless of their geographic location.
About the AuthorRouman Ebrahim is a Deputy District Attor-ney for the County of Los Angeles, assigned to the High Technology Crime Division. He regularly instructs law enforcement agents, attorneys, community groups and industry organizations on high technology and priva-cy issues. He can be reached at [email protected].
oversights can have serious consequences when it comes to an information breach. Only when employees see information they handle as more than just “data” will they become fully bought-in, change their behavior, and be active contributors to help you achieve your data protection objectives. The goal of an integrated and unified approach to training and reinforcement should be to equip employees to make better decisions that ultimately reduce risk for the organization. But more than this, cementing this connection early and often will help you establish and sustain a high-level data protec-tion message that is clear, concise, and consistent between the disciplines.
So bring on the security and privacy merge. Your organiza-tion’s vital information assets will be better protected because of it.
About the AuthorSteve Conrad is the founder and managing director of Media-Pro and has extensive experience in improving organizational performance through effective awareness and learning solu-tions. He is an experienced conference speaker and moderator and has moderated many discussions and panels for a variety of industry organizations. He may be reached at [email protected].
Merging of Security and Privacy continued from page 7
June 2016 | ISSA Journal – 27
Preparing for New Electronic Communication Privacy Laws | Rouman Ebrahim
AbstractNo anti-retaliation statute specifically covers cybersecurity whistleblowers, but employees of public corporations may nonetheless be protected when blowing the whistle on cy-bersecurity concerns. The Sarbanes-Oxley Act of 2002 (SOX) prohibits retaliation against whistleblowers who disclose what they reasonably believe to be violations of the securi-ties laws or fraud committed by publicly-traded companies. Thus, cybersecurity whistleblowers may be protected under this law if they understand when information security issues fall within the scope of the securities laws. Additionally, the Dodd-Frank Act of 2010 (DFA) may entitle whistleblowers to a monetary reward if they report a cybersecurity concern that constitutes an actual violation of the securities laws or regu-lations to the government. This article provides a brief foun-dation for understanding how cybersecurity professionals may fall within the coverage of SOX and DFA by analyzing the relationship between provisions of the securities laws and cybersecurity issues. Ultimately with some basic information and proper guidance, employees of public corporations may find that they can protect themselves when reporting cyber-security concerns.
With cybersecurity becoming a topic of ever-in-creasing visibility and importance, information security professionals may ask what protection
they have when they make potentially unpopular disclosures of cybersecurity issues. Though no whistleblower retaliation statute deals directly with the topic, the Sarbanes-Oxley Act of 2002 (SOX) will often protect cybersecurity professionals
who work directly for public corporations or those corpora-tions’ service providers. Yet further, the Dodd-Frank Act of 2010 (DFA) could allow information security workers to re-ceive a whistleblower reward for reporting cybersecurity con-cerns to the US Securities and Exchange Commission (SEC) or the US Commodity Futures Trading Commission (CFTC), in some cases.However, the relationship among cybersecurity issues, SOX, and DFA is not yet clearly defined. Accordingly, information security professionals should educate themselves about whis-tleblower protections. Doing so could make the difference be-tween being protected, receiving a whistleblower reward, or suffering retaliation without recourse.
What does SOX protect?In relevant part, Section 806 of the Sarbanes-Oxley Act1 for-bids a covered employer to “discharge, demote, suspend, threaten, harass, or in any other manner discriminate against an employee” because of any lawful disclosure or act “regard-ing any conduct which the employee reasonably believes con-stitutes a violation of”:
• Mail fraud• Wire fraud• Bank fraud• Securities or commodities fraud• Any SEC rule or regulation
1 Sarbanes Oxley Act (SOX) – 18 U.S.C. § 1514A - http://www.whistleblowers.gov/acts/sox_amended.html.
No anti-retaliation statute specifically covers cybersecurity whistleblowers, but employees of public corporations may nonetheless be protected when blowing the whistle on cybersecurity concerns. This article provides a brief foundation for understanding how whistleblowers may fall within the coverage of the Sarbanes-Oxley Act of 2002 and the Dodd-Frank Act of 2010.
By Dallas Hammer – ISSA member, Quantico Chapter
Cybersecurity Whistleblowing:What Employees at Public Companies Should Know Before Reporting Information Security Concerns
28 – ISSA Journal | June 2016
ISSA DEVELOPING AND CONNECTING CYBERSECURITY LEADERS GLOBALLY
SOX in ContextSparked by dramatic corporate and accounting scandals, the Sarbanes Oxley Act represents the most important securities legislation since the original federal securities laws of the 1930s.1 Those scandals included those affecting Enron, Tyco International, Adelphia, Peregrine Systems, and WorldCom. Passed in 2002, SOX effected dramatic change across the cor-porate landscape to re-establish investor confidence in the integrity of corporate disclosures and financial reporting. President George W. Bush, who signed SOX into law, described it as “the most far-reaching reforms of American business practices since the time of Franklin D. Roosevelt. The era of low standards and false profits is over; no boardroom in America is above or beyond the law.”2 Based on the lessons learned from the corporate and accounting scandals, pro-tecting whistleblowers formed an integral part of the reforms.3
1 Testimony Concerning Implementation of the Sarbanes-Oxley Act of 2002, William H. Donaldson, Chairman U.S. Securities and Exchange Commission, Before the Senate Committee on Banking, Housing and Urban Affairs – https://www.sec.gov/news/testimony/090903tswhd.htm.
2 Bumiller, Elisabeth (2002-07-31). “Bush Signs Bill Aimed at Fraud in Corporations,”The New York Times – http://query.nytimes.com/gst/fullpage.html?res=9C01E0D91E38F932A05754C0A9649C8B63.
3 148 CONG. REC. No. 103 (2002) (statement of Sen. Patrick Leahy) (“We learned from Sherron Watkins of Enron that these corporate insiders are the key witnesses that need to be encouraged to report fraud and help prove it in court.”) – https://www.congress.gov/congressional-record/2002/7/25/senate-section/article/s7350-4?q=%7B”search”%3A%5B”%5C”We+learned+from+Sherron+Watkins+of+Enron+that+these+corporate+insiders+are+the+key+witnesses+that+%5C””%5D%7D.
• Any provision of federal law relating to fraud against shareholders2
Can disclosures of cybersecurity issues be protected under SOX?Disclosures of information security issues may be protected under SOX. As noted above, SOX protects disclosures relating to one (or more) of six categories of violations. Disclosures of cybersecurity issues can fall under that umbrella in myriad ways. I will describe just three of those scenarios.
Cybersecurity risks, Regulation SK Item 503, and SEC Rule 10b-5 A public company may address cybersecurity issues in its public filings pursuant to its requirement to disclose signif-icant risks to its business. If in doing so the company omits known, actual threats, it may violate the securities laws.3 For example, investors alleged that pharmaceutical company Matrixx Initiatives, Inc. committed securities fraud by failing to disclose reports of a possible link between cold remedy Zi-cam (Matrixx’s leading product) and loss of smell. Investors claimed Matrixx told the market that its revenues were going to rise 50 and then 80 percent. However, Matrixx had infor-mation indicating a significant risk to its leading revenue-gen-erating product, according to the lawsuit. The US Supreme Court ruled that the investors’ case could proceed, reasoning that when a corporation makes a statement to the market, Rule 10b-5 requires the corporation to ensure its statements are not misleading considering all the circumstances. Simi-larly, a corporation could violate the law by disclosing general cybersecurity risks pursuant to Item 503 while withholding material information about known, actual risks.Regulation S-K prescribes certain disclosures that a corpora-tion must include in its public filings, such as its annual re-port (10-K) and its quarterly report (10-Q).4 Item 503(c) of SEC Regulation S-K requires a corporation to disclose risk factors and discuss the most significant factors that make an offering speculative or risky.5 This includes the risk of cyber incidents if these issues are among the most significant fac-tors that make an investment in the company speculative or risky.6 A company may violate SEC Rule 10b-5 when making public disclosures if it misstates or omits a material fact.7 In relevant part, the rule states:
“It shall be unlawful for any person … [t]o make any un-
2 Ibid.3 See Matrixx Initiatives, Inc. v. Siracusano, 131 S.Ct. 1309 (2011) – http://www.
supremecourt.gov/opinions/10pdf/09-1156.pdf.4 17 C.F.R. Part 229 – http://162.140.57.127/cgi-bin/text-idx?SID=042a68d8eb9f43ca4
bd7dc7e223d2bf7&mc=true&node=pt17.3.229&rgn=div5. 5 17 C.F.R. Part 229.503(c) – http://162.140.57.127/cgi-bin/text-idx?SID=042a68d8eb9
f43ca4bd7dc7e223d2bf7&mc=true&node=se17.3.229_1503&rgn=div8. 6 Division of Corporation Finance, U.S. Securities & Exchange Commission, CF
Disclosure guidance: Topic No. 2, Cybersecurity (Oct. 13, 2011) – https://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm.
7 See 17 C.F.R. § 240.10b-5 – http://162.140.57.127/cgi-bin/text-idx?SID=042a68d8eb9f43ca4bd7dc7e223d2bf7&mc=true&node=se17.4.240_110b_65&rgn=div8.
true statement of a material fact or to omit to state a mate-rial fact necessary in order to make the statements made, in the light of the circumstances under which they were made, not misleading…in connection with the purchase or sale of any security.”
Shareholders or the SEC can bring actions against corpora-tions that violate this rule. To do so, the SEC must prove that the corporation (1) made a material, (2) misrepresentation and/or omission, (3) in connection with the purchase or sale of securities, and (4) the corporation had intent or knowledge of wrongdoing. In addition to the foregoing, shareholders must also show (1) reliance, (2) loss causation, and (3) dam-ages.8 Hundreds of corporations disclose generalized cybersecuri-ty risks in their public filings. If they do so while failing to disclose known, actual risks, such as knowledge of an actual breach, the omission can give rise to a Rule 10b-5 action.9
8 See, e.g., Halliburton Co. v. Erica P. John Fund, Inc., 134 S.Ct. 2398, 2407 (2014) – http://www.supremecourt.gov/opinions/13pdf/13-317_mlho.pdf.
9 See Matrixx Initiatives, Inc. v. Siracusano, 131 S.Ct. 1309 (2011) – http://www.supremecourt.gov/opinions/10pdf/09-1156.pdf.
June 2016 | ISSA Journal – 29
Cybersecurity Whistleblowing | Dallas Hammer
statements. But if misleading statements or omissions of fact are included in forward-looking statements, the corporation may not be insulated.14 In Harman, an electronics company made forward-looking statements that reflected positively on its sales outlook. However, the plaintiffs alleged the company was aware of historical facts strongly indicating that its sales prospects were less than stellar. In holding that the plaintiffs’ case could proceed, the court found that the company’s cau-tionary statements about the forward-looking information were not meaningful because they were misleading in light of the historical facts. Because the company warned of only general, unspecified risks that could affect its rosy outlook, but did not disclose actual risks that had already manifested, the safe harbor would not apply to the forward-looking state-ments. The court explained that a “warning that identifies a potential risk, but ‘impl[ies] that no such problems were on the horizon even if a precipice was in sight,’ would not meet the statutory standard for safe harbor protection.”15 Corporations often include generic disclosures in their man-agement discussion and analysis about cybersecurity issues that could materially affect the corporation’s financial condi-tion and operations. A company’s omission of facts pertain-ing to an actual, known risk could violate the requirements of Regulation S-K Item 303 and possibly Rule 10b-5. Thus, reporting an information security issue that contradicts or undermines the company’s management discussion and analysis of cybersecurity could be protected under SOX.
14 E.g., In re Harman Int’l Indus., Inc. Securities Litigation, 791 F.3d 90 (D.C. Cir. June 23, 2015) – https://www.cadc.uscourts.gov/internet/opinions.nsf/1B7208ADC298E6C985257E6D00539C76/$file/14-7017-1559106.pdf.
15 Ibid. at 102 (internal citations omitted).
Management discussion of cybersecurity issues under Regulation S-K Item 303A corporation’s failure to disclose cybersecurity issues that materially affect the corporation’s financial condition and operations could violate the securities laws and regulations. Item 303 of Regulation S-K requires a corporation to discuss its financial condition, changes in financial condition, and results of operations.10 Four observations about Item 303, known as Management Discussion & Analysis, are particu-larly relevant to our discussion:• One of Item 303’s main purposes is to provide information
about the quality of, and potential variability of, a com-pany’s earnings cash flow so that investors can ascertain the likelihood that past performance is indicative of future performance11
• Corporations must describe any known trends or uncer-tainties that have had or that the corporation reasonably expects will have a material impact on net sales or reve-nues or income12
• Corporations must describe any unusual or infrequent events, transactions, or significant economic changes that materially affected the amount of reported income
• Corporations should address events or uncertainties that could affect past or future operations13
Because predictions about the future are inherently uncer-tain, the law provides a safe harbor for such forward-looking
10 17 C.F.R. § 229.303 – http://162.140.57.127/cgi-bin/text-idx?SID=042a68d8eb9f43ca4bd7dc7e223d2bf7&mc=true&node=se17.3.229_1303&rgn=div8.
11 SEC Staff, Report on Review of Disclosure Requirements of Regulation S-K 8-10 at 42 fn. 125 (December 2013) – https://www.sec.gov/news/studies/2013/reg-sk-disclosure-requirements-review.pdf.
12 17 C.F.R. § 229.303(a)(3).13 17 C.F.R. § 229.303 (instructions).
A Wealth of Resources for the Information Security Professional – www.ISSA.org
Breach Report Analysis – SWOT or SWAT?2-Hour Event Recorded Live: May 24, 2016The Sky Is Falling... CVE-2016-9999(nth)?2-Hour Event Recorded Live: April 26, 2016Security Software Supply Chain: Is What You See What You Get?2-Hour Event Recorded Live: March 22, 2016 Mobile App Security (Angry Birds Hacked My Phone) 2-Hour Event Recorded Live: February 23, 20162015 Security Review & Predictions for 2016 2-Hour Event Recorded Live: January 26, 2016Forensics: Tracking the Hacker2-Hour Event Recorded Live: November 17, 2015
Big Data–Trust and Reputation, Privacy–Cyberthreat Intel2-Hour Event Recorded Live: Tuesday, October 27, 2015Security of IOT–One and One Makes Zero2-Hour Event Recorded Live: Tuesday, September, 22, 2015Biometrics & Identity Technology Status Review2-Hour Event Recorded Live: Tuesday, August 25, 2015Network Security Testing – Are There Really Different Types of Testing? 2-Hour Event Recorded Live: Tuesday, July 28, 2015Global Cybersecurity Outlook: Legislative, Regulatory and Policy Landscapes2-Hour Event Recorded Live: Tuesday, June 23, 2015Breach Report: How Do You Utilize It?2-Hour Event Recorded Live: Tuesday, May 26, 2015
Click here for On-Demand Conferenceswww.issa.org/?OnDemandWebConf
30 – ISSA Journal | June 2016
Cybersecurity Whistleblowing | Dallas Hammer
Material weaknesses in internal controls under SOX Sections 302 and 404Even if a corporation makes no mention of cybersecurity in its public filings, it may violate Sections 302 and 404 of the Sarbanes-Oxley Act if it fails to disclose material weaknesses in its internal controls related to information security. Sec-tion 302 of SOX requires a corporation’s CEO and CFO to personally certify the accuracy and completeness of financial reports, and they must assess and report on the effectiveness
of internal controls around financial reporting.16 Section 404 of SOX requires a corporation to assess the effectiveness of its internal controls in its annual reports, and an outside audit-ing firm must evaluate that assessment. Material weaknesses in those internal controls must be identified.17
16 15 U.S.C. § 7241 – http://uscode.house.gov/view.xhtml?req=(title:15 section:7241 edition:prelim) OR (granuleid:USC-prelim-title15-section7241)&f=treesort&edition=prelim&num=0&jumpTo=true.
17 See, e.g., 15 U.S.C. § 7213(a)(2)(A)(iii)(III) – http://uscode.house.gov/view.xhtml?req=(title:15 section:7213 edition:prelim) OR (granuleid:USC-prelim-title15-section7213)&f=treesort&edition=prelim&num=0&jumpTo=true.
just published the IS-SA’s Alliance for Per-formance Excellence, National Institute of Standards and Tech-nology’s Baldrige Pro-gram.1 ISSA members will have access to a free Baldrige-based self-as-sessment tool, named the Security Success Score,2 which allows ISSA members to as-sess the performance excellence of security operations in light of NIST-based and Baldrige-based frameworks. The best of both worlds height-ens cyber-resiliency and enables their dedicated practitioners and organizations to excel through the change process, rais-
1 Alliance for Performance Excellence and ISSA Offer Free Cyber Maturity Tool to ISSA Members, Alliance for Performance Excellence – http://www.baldrigepe.org/alliance/.
2 Managehub, Cybersecurity Success Score – https://www.managehubaccelerator.com/cybersecurity-success-score/.
ing quality and performance levels with this one cohesive program.Figure 7 depicts at a high level the core elements associated with the Baldrige framework. Armed with these new tools and new-found knowledge, we will have the opportunity to impact high levels of positive change, turning regulato-ry complexity and headaches into stakeholder- and organi-zation-integrated implementation successes. Assure away SMEs!
Figure 7 – Baldrige performance excellence criteria
Join the international conversation at #ISSAWISSIG, [email protected], and via LinkedIn.
Be BRAVE, Be BOLD, Own Your Future!
About the AuthorDr. Rhonda Farrell, J.D., CISSP, CSSLP is an Associate at Booz Allen Hamilton (BAH) and a member of the Board of Directors at ISSA Intl and ISSA-NOVA. She also holds an officer position within IEEE and committee positions within ASQ. She is the Co-Founder of the WIS SIG and works cross-organizationally to actively enhance cybersecurity-oriented programs interna-tionally. She can be reached at [email protected].
WIS SIG: Regulatory Compliance – A Change Management ChallengeContinued from page 8
Figure 5 – Change adoption cycle
Figure 6 – Business excellence framework
June 2016 | ISSA Journal – 31
Cybersecurity Whistleblowing | Dallas Hammer
six enumerated categories. The “reasonable belief” standard is key to determining whether a specific disclosure is protected.The central inquiry to determining whether any given disclo-sure is protected is whether the whistleblower has a reason-able belief that she is reporting a covered violation at the time she makes the disclosure. This belief must be subjectively and objectively reasonable.22 This means that the whistleblower must know and believe that she is reporting a covered viola-tion, and a reasonable person in the whistleblower’s circum-stances must be able to reach the same conclusion.23 Thus, if a whistleblower does not believe she is reporting a violation, or if her disclosure is outlandish or baseless in light of standards like those discussed above, the disclosure will not be protect-ed. For example, the report of a minor information security issue that could have no significant effect on the corporation’s operations may not be protected.However, it is utterly irrelevant whether the whistleblower communicates that reasonable belief to the employer or puts the employer on notice that she is engaging in protected ac-tivity. Indeed, a disclosure can be protected even if it does not mention fraud, illegal activity, or anything that could rea-sonably be perceived to be a violation of the six enumerated categories in SOX.24 In Prioleau, the whistleblower disclosed information security concerns. However, at the time of the disclosure, the whis-tleblower made no mention of SOX or any of the enumerated categories. Rather, the whistleblower reported his concern that two company policies were in conflict regarding a pro-gram that automatically deleted emails. The Administrative Review Board (an administrative appellate body that reviews SOX claims) reversed an administrative law judge’s decision that the whistleblower failed to engage in protected activity. The board held that the disclosures could be protected based on evidence the whistleblower introduced during litigation, which indicated he was aware his disclosures were related to SOX compliance and that his belief was objectively reason-able. Information security professionals should contact an expe-rienced whistleblower attorney to determine whether SOX covers the disclosures they have made.
Other protections may also applyIn addition to SOX, numerous other laws may cover cyber-security workers who blow the whistle, but like SOX may or may not apply depending on the specific facts. For example, if an information security issue constitutes misconduct re-
22 E.g., Van Asdale v. Int’l Game Tech., 577 F.3d 989, 1000-1001 (9th Cir. 2009) – https://cdn.ca9.uscourts.gov/datastore/opinions/2009/08/13/07-16597.pdf; Harp v. Charter Commc’ns, Inc., 558 F.3d 722, 723 (7th Cir. 2009) – http://media.ca7.uscourts.gov/cgi-bin/rssExec.pl?Submit=Display&Path=Y2009/D03-16/C:07-1445:J:Rovner:aut:T:fnOp:N:225637:S:0; Menendez v. Halliburton, Inc., ARB Nos. 09-002, -003; ALJ No. 2007-SOX-005, slip op. at 12 (ARB Sept. 13, 2011) – http://www.oalj.dol.gov/PUBLIC/ARB/DECISIONS/ARB_DECISIONS/SOX/09_002.SOXP.PDF.
23 Sylvester v. Paraxel Int’l, ARB No. 07-123, ALJ Nos. 2007-SOX-039, -042, slip op. at 14 (ARB May 25, 2011) – http://www.oalj.dol.gov/PUBLIC/ARB/DECISIONS/ARB_DECISIONS/SOX/07_123.SOXP.PDF.
24 Prioleau v. Sikorsky Aircraft Corp., ARB Case No. 10-060 (ARB Nov. 9, 2011) – http://www.oalj.dol.gov/PUBLIC/ARB/DECISIONS/ARB_DECISIONS/SOX/10_060.SOXP.PDF.
A material weakness is a deficiency in internal controls that presents more than a slight chance that a material misstate-ment of the company’s financial statements will not be pre-vented or detected on a timely basis.18 A deficiency in internal controls arises when a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely ba-sis. A material weakness in internal control over financial re-porting may exist even when financial statements are not ma-terially misstated. Rather, material weakness is assessed from the potential misstatement that could occur, not the amount that is actually misstated as the result of a control deficiency.19 SOX created the Public Company Accounting Oversight Board (PCAOB) to oversee and guide outside auditors in eval-uating a corporation’s internal controls.20 The PCAOB specif-ically has addressed auditors’ need to examine corporations’ information technology controls as part of their assessment of internal controls.21 In its auditing standards, the PCAOB adopted the framework issued by the Committee of Spon-soring Organizations of the Treadway Commission (COSO), which also addresses information technology controls.Thus, a corporation that fails to disclose a material weakness in its information security controls may be non-compliant with SOX. Accordingly, a disclosure of a cybersecurity issue that demonstrates a material weakness in the company’s in-ternal controls may be protected.
Shareholder fraud, internal controls, and SOXFor the reasons described above, an information security professional’s disclosure of a public corporation’s cybersecu-rity issues can be protected under SOX. A corporation failing to disclose information security issues could be committing shareholder fraud or violating SEC rules relating to internal controls. However, these scenarios are far from exhaustive. SOX could protect the reporting of cybersecurity issues un-der many circumstances.
When is a specific disclosure protected?Though cybersecurity whistleblowers can make SOX-pro-tected disclosures, such protection is not automatic. As noted above, SOX protects whistleblowers when they disclose what they reasonably believe to be a violation of one or more of the
18 PCAOB Release No. 2007-005A: An Audit of Internal Control Over Financial Reporting That is Integrated with An Audit of Financial Statements, Appendix A – http://pcaobus.org/Rules/Rulemaking/Docket 021/2007-06-12_Release_No_2007-005A.pdf; see also Financial Accounting Standards Board Statement No. 5: Accounting for Contingencies – http://www.fasb.org/jsp/FASB/Document_C/DocumentPage?cid=1218220126761&acceptedDisclaimer=true.
19 PCAOB Staff Audit Practice Alert No. 11: Considerations for Audits of Internal Control Over Financial Reporting – http://pcaobus.org/standards/qanda/10-24-2013_sapa_11.pdf.
20 15 U.S.C. § 7211 – http://uscode.house.gov/view.xhtml?req=15+usc+7211&f=treesort&fq=true&num=9&hl=true&edition=prelim&granuleId=USC-prelim-title15-section7211.
21 PCAOB Release No. 2007-005A: An Audit of Internal Control Over Financial Reporting That is Integrated with An Audit of Financial Statements –http://pcaobus.org/Rules/Rulemaking/Docket 021/2007-06-12_Release_No_2007-005A.pdf; PCAOB Release No. 2010-004: Identifying and Assessing Risks of Material Misstatement – http://pcaobus.org/Rules/Rulemaking/Docket 026/Release_2010-004_Risk_Assessment.pdf.
32 – ISSA Journal | June 2016
Cybersecurity Whistleblowing | Dallas Hammer
Key Considerations for Obtaining an SEC Whistleblower Reward•A whistleblower must voluntarily give the SEC
original information about a possible violation of the federal securities laws that has occurred, is ongoing, or is about to occur.
•More than one person can act together as whis-tleblowers, but companies and organizations do not qualify.
•A whistleblower need not be a current or former employee to be an eligible whistleblower.
•Whistleblowers who are represented by attorneys can remain anonymous when reporting through the SEC Whistleblower program.
•Cybersecurity professionals can be eligible for awards by providing independent analysis regarding viola-tions of federal securities laws, even if they have no employment relationship with the company.
•Other exclusions and limitations may apply.1
You can find out more about the SEC Whistleblower Program here.
1 See 17 C.F.R. §§ 240.21F-1, et seq – https://www.sec.gov/about/offices/owb/reg-21f.pdf - nameddest=21F-2.
lated to a federal contract or grant, several laws may protect cybersecurity professionals from reprisal.25 If the misconduct involves fraud on the government, the False Claims Act may provide protection from retaliation, as well as an opportuni-ty for a whistleblower reward.26 Similarly, federal employees who report an information security issue they believe consti-tutes a violation of law, rule, or regulation or other specified misconduct may be covered by the Whistleblower Protection Act.27
In short, though no specific law protects cybersecurity whistleblowers, many anti-retaliation laws may nonetheless protect information security workers who report problems. However, the patchwork of provisions requires careful anal-ysis to determine which laws could apply to any given re-al-world scenario.
How can cybersecurity whistleblowers receive a reward?The Dodd-Frank Act created the SEC Whistleblower Pro-gram,28 which provides rewards to whistleblowers who report violations of the federal securities laws to the SEC. Eligible whistleblowers are entitled to an award of between 10% and 30% of the monetary sanctions collected in actions brought by the SEC (or related actions brought by other regulatory and law enforcement authorities).To become eligible, an individual must submit a whistleblow-er tip to the SEC’s Office of the Whistleblower. A tip must meet several requirements to qualify for an award.29 However, a key threshold is whether the SEC opens an investigation, reopens an investigation, or inquires into different conduct as part of a current investigation because of the whistleblower’s information. New information that significantly contributes to the success of an existing matter can also qualify. Another key requirement is that the SEC action must result in an order of monetary sanctions exceeding $1 million. In practice, the program has been picking up steam. Since the inception of the whistleblower program in 2011, the SEC has awarded more than $67 million to 29 whistleblowers. In Sep-tember 2014, the agency announced a more than $30 million whistleblower award,30 exceeding the prior highest award of more than $14 million31 announced in October 2013. In May
25 E.g., 41 U.S.C. § 4712; 10 U.S.C. § 2409 – http://uscode.house.gov/view.xhtml?req=(title:10 section:2409 edition:prelim) OR (granuleid:USC-prelim-title10-section2409)&f=treesort&edition=prelim&num=0&jumpTo=true.
26 See 31 U.S.C. § 3730 (a whistleblower reward claim under the False Claims Act is known as a qui tam action and differs significantly from most other whistleblower rewards statutes) – http://uscode.house.gov/view.xhtml?req=(title:31 section:3730 edition:prelim) OR (granuleid:USC-prelim-title31-section3730)&f=treesort&edition=prelim&num=0&jumpTo=true.
27 5 U.S.C. § 2302(b)(8) – http://uscode.house.gov/view.xhtml?req=(title:5 section:2302 edition:prelim) OR (granuleid:USC-prelim-title5-section2302)&f=treesort&edition=prelim&num=0&jumpTo=true.
28 Office of the Whistleblower, SEC – https://www.sec.gov/whistleblower.29 See 17 C.F.R. §§ 240.21F-1, et seq – https://www.sec.gov/about/offices/owb/reg-21f.
pdf - nameddest=21F-2. 30 SEC Announces Largest-Ever Whistleblower Award – https://www.sec.gov/News/
PressRelease/Detail/PressRelease/1370543011290.31 SEC Awards More Than $14 Million to Whistleblower – https://www.sec.gov/News/
PressRelease/Detail/PressRelease/1370539854258.
2016 alone, the SEC awarded more than $8 million,32 includ-ing its third highest whistleblower award. Whistleblower rewards also exist for those reporting viola-tions of federal commodities laws, fraud on the government, tax underpayment, and fraud affecting banks or other finan-cial institutions.Information security professionals can receive rewards under the SEC Whistleblower Program and the other whistleblower rewards laws. As discussed above, cybersecurity issues and how corporations deal with them can constitute violations of federal securities laws. And it is a good time to be an informa-tion security whistleblower. As I have discussed in a previous article,33 the SEC has had a particular focus on cybersecurity for the past few years. As the SEC continues to address the impact to US capital markets and public corporations’ re-sponsibilities to shareholders under the law, this emerging and important topic will likely remain an enforcement focus for the foreseeable future.
ConclusionAs the foregoing illustrates, there are many circumstances where blowing the whistle on cybersecurity issues related to a
32 SEC Awards More Than $5 Million to Whistleblower – https://www.sec.gov/news/pressrelease/2016-91.html.
33 SEC Enforcement Action Portends Rewards for Cybersecurity Whistleblowers – https://www.zuckermanlaw.com/sec-enforcement-action-portends-rewards-for-cybersecurity-whistleblowers/.
34 – ISSA Journal | June 2016
Cybersecurity Whistleblowing | Dallas Hammer
ISSA Code of EthicsThe primary goal of the Information Systems Security Association is to promote practices that will ensure the confidentiality, integrity, and availability of organizational information resources. To achieve this goal, members of this Association must reflect the highest standards of ethical conduct. Therefore, ISSA has established the following Code of Ethics and requires its observance as a prerequisite for continued membership and affiliation with the Association.
As an ISSA member, guest, and/or applicant for membership, I have in the past and will in the future:
• Perform all professional activities and duties in accordance with all applicable laws and the highest ethical principles;
• Promote generally accepted information security current best practices and standards;
• Maintain appropriate confidentiality of proprietary or otherwise sensitive information encountered in the course of professional activities;
• Discharge professional responsibilities with diligence and honesty;
• Refrain from any activities which might constitute a conflict of interest or otherwise damage the reputation of or is detrimental to employers, the information security profession, or the Association; and
• Not intentionally injure or impugn the professional reputation or practice of colleagues, clients, or employers.
“The tree of liberty must be refreshed
from time to time with the blood of
patriots and tyrants.”— Thomas Jefferson, Paris, November 13, 1787
So, too, must our code of ethics be revisited from time to time by those who abide by it and who vow to uphold it.
public company could be protected under the law, despite the lack of a whistleblower retaliation law aimed directly at cy-bersecurity whistleblowers. Further, cybersecurity issues may entitle whistleblowers to an award if they report actual vio-lations of the securities laws to the SEC. However, ensuring such protection requires an understanding of how cyberse-curity issues at public companies relate to the securities laws and rules regulating those companies.
About the AuthorDallas Hammer is an attorney at Zuckerman Law and chairs the firm’s Whistleblower Re-wards Practice Group. Mr. Hammer’s practice largely focuses on representing corporate and financial institution whistleblowers before federal agencies such as the Securities Ex-change Commission, Department of Justice, and Department of Labor. He may be reached at [email protected].
June 2016 | ISSA Journal – 35
Cybersecurity Whistleblowing | Dallas Hammer
Addressing Data Privacy Regulation & Standards: A ProcessBy Harsha Banavara and Jeffrey Farago – ISSA member, Middle Tennessee Chapter
This article addresses the continuing issues of comprehensive consideration and integration of data privacy into product development to enable compliance to applicable standards, rules, and regulations.
This article will discuss issues and consequences associated with data collection, processing, and retention—steps that need to be considered during the early stages of product1 de-velopment to minimize organizational exposure relative to data collection and use legislation and regulation [3]. A process is offered to address data decisions early-on in de-velopment activities to allow lowest costs and highest inte-gration into products [10]. The authors’ experience in concert with referenced contemporary sources provide an unbiased and objective approach to this growing issue.
Data ClassificationPersonally identifiable information – PIIThe definition of PII varies from one country to another. NIST SP 800-122 defines PII as “any information about an in-dividual maintained by an agency, including (1) any informa-tion that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother’s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individ-ual, such as medical, educational, financial, and employment information” [13]. Some examples are: • Name – e.g., full name, maiden name, mother’s maiden
name, alias• Personal identification number – e.g., social security
number (SSN), passport number, driver’s license number,
1 Throughout this article the term product represents hardware or software products, solutions, and services offered.
Abstract The data privacy landscape is in continuous flux with more countries and regional entities placing increased importance and rigor upon the handling of specific categories of people data: personally identifiable, protected health, and sensitive information. A process is offered that promotes early consid-eration of what kinds of data need to be collected, processed, and stored; determination of the implications based upon in-tended geographic locations of sales or services; and conclud-ing with generation of comprehensive security requirements. The authors have called upon their experiences, and support-ed commentary with contemporary sources.
Introduction
The ever-expanding desire to collect information on anything and everything has resulted in an enormous amount of collected, manipulated, and stored data;
data gleaned from machines, processes, and most important-ly from people [23]. In this article the authors will bring into discussion the terms of data privacy and security; how they interrelate and are connected is at the core of the presented concepts. Privacy within the context of data privacy “refers to keeping information confidential”; that is, allowing it to be viewed by only authenticated and authorized individuals and processes [19]. Typically, information within data privacy involves personally identifiable information (PII), protected health information (PHI), and sensitive information (SI). To ensure the confidentiality of these data types requires appli-cation of security practices and policies (e.g., authentication, authorization, encryption at rest and in motion) [20].
36 – ISSA Journal | June 2016
ISSA DEVELOPING AND CONNECTING CYBERSECURITY LEADERS GLOBALLY
with many under development by their governments [6]. This means that countries without data privacy laws are now in the minority. Some regulations can have a huge impact on a region, for example the European Union recently passed the General Data Protection Regulation [9]. This legislation su-perseded the existing EU Data Protection Directive of 1995 and was a dramatic paradigm shift. In another seven years we will be celebrating the 50th anniversary of the first national data protection law; by then we can expect more laws to be passed by countries, making data privacy even more chal-lenging.
Cross-border data flow When considering transfer of personal data across geo-po-litical borders, caution should be taken due to the following concerns [20]:• Some countries do not have data privacy laws• Some countries have a very restrictive set of data privacy
laws• Some countries’ data privacy laws are ambiguous
Data localizationA limited number of countries are enforcing strict regula-tions on their citizens’ personal data. This includes mandato-ry storage of the data on servers physically located within the geo-political borders of their country; restricted access to and use of the data from outside of their country; and penalties for non-compliance. Examples are China and Russia [5].
Penalties for non-complianceFailure to warn users of data collection can also mean heavy penalties, fines, and possibly even jail time. A recent sur-vey published by the Data Protection Authority of Hungary reported the number of fines collected for data privacy in-fringements has increased over 100% YoY 2014 vs 2015 [12].
A processIntroducing security-oriented features earlier in the product development cycle incurs less costs and improves integra-tion versus later consideration [11]. In order to address this critical issue early-on in the development life cycle, it is im-portant that we adopt a robust, time-tested process. One such process is Microsoft’s Security Development Lifecycle (SDL) developed in 2002 [8]. The process matured quickly and was opened up to public use in 2004. According to Microsoft, “SDL is a software development pro-cess that helps developers build more secure software and address security compliance requirements while reducing development cost” [18]. Requirements within SDL is the sec-ond phase of seven, right after Training. Designing resilient products is like designing a house—both require a strong foundation. Additionally, good security requirements aid in reducing the ambiguity for developers [18]. The process of coming up with good security requirements can be divided into three stages:
taxpayer identification number, financial account, credit card number
• Address information – e.g., street address, email address, Internet protocol (IP) address
• Personal characteristics – e.g., photographic image (es-pecially of face or other identifying characteristic), finger-prints, handwriting, other biometric data (e.g., retina scan, voice signature, facial geometry)
Protected health information – PHIPHI is a subset of PII. The definition of protected health in-formation (PHI) is defined in the Privacy Rule published by the US Department of Health and Human Services to imple-ment the requirement of Health Insurance Portability and Accountability Act (HIPAA) of 1996 [15]. PHI includes, but is not limited to, all information relative to the patient-prac-titioner relationship: • The individual’s physical or mental health or condition
(past, present, or future) • Services provided and diagnoses defined• Associated payment information (past, present, or future)• Standard PII (e.g., name, address, government-issued
identification number) In jurisdictions other than the US, PHI may not be a separate category but rather is included within the ambit of PII.
Sensitive information – SISI can also be a subset of PII. The definition of sensitive infor-mation (SI) may vary by jurisdiction; however, some catego-ries included are racial, ethnicity, political alliance, religion, philosophical beliefs, organi-zational memberships, health conditions, financial status, sexual orientation/preferenc-es, geo-location [20].
Figure 1– Relationship of individual data types
The challengesDevelopers of products in-volving data collection, pro-cessing, and storage are faced with many challenges. Among these are a constantly changing regulatory environment, cross-border data flow, data localization, and penalties for non-compliance.
Regulatory environmentThe first national data protection law in the world was passed by Sweden in 1973. This law only covered traditional com-puter-based processing of personal data; it did not address concerns such as time frames and application of the data [16]. Since then, due to advancements in technology and scope of data definition, we have come a long way: as of January 2015 more than 109 countries have enacted data privacy laws
PIIPHI
SI
June 2016 | ISSA Journal – 37
Addressing Data Privacy Regulation & Standards: A Process | Harsha Banavara and Jeffrey Farago
Basic principles and frameworksIf the collection of PII, PHI, and/or SI data is part of a prod-uct, the development team should consider and accommo-date some basic principles in order to be compliant with many data privacy acts and laws. Although published in 1980 the following Organization for Economic Co-operation and Development (OECD) Framework privacy principles are still valid today [22]. These principles are:• Collection limitation – limits on collection of personal
data• Data quality – data collected should be relevant to the
purpose• Purpose specification – purpose specified at the time of
collection of data• Use limitation – only use the data for the intended pur-
pose• Security safeguards – data should be properly protected
in all states: rest, motion, process • Openness – principles and/or policies should be transpar-
ent to the data subject• Individual participation – data subject has right to view,
modify, delete his data2
• Accountability – data controller and processor are ac-countable for the above principles
These principles are also incorporated into the Fair Informa-tion Practice Principles (FIPPs) [3] and in the UK Data Pro-tection Act [4]. Note: When deleting personal data, always use standard prac-tices such as those mentioned in NIST SP 800-88 Rev1 [10].Some of the other frameworks worth evaluating and investi-gating are:• The Fair Information Practice Principles (FIPPs), 1973 [21]• The Generally Accepted Privacy Principles (GAPP), 2009
[1]• APEC Privacy Framework, 2005[2]• NIST SP 800-53 Rev.4, Appendix J, The Privacy Control
Catalog, 2013 [14]
AssessmentAn essential tool for determining potential risks to data pri-vacy is a privacy impact assessment (PIA) [20]. It consists of a checklist and questions that cover many of the basic prin-ciples previously cited. The PIA should be introduced to the development process prior to commencement of design and revisited and revised if any major changes are made to data, architecture, and features .
2 To enable these capabilities, databases must be structured appropriately.
1. Collection and harmonization stage2. Filtering stage3. Prioritization stage
Figure 2 – Data privacy and security requirements process stages
In the first stage, understanding the product along with the market segments, regions, and sectors into which it will be offered is essential in determining the cover-age of the standards. Some-times the target market can be a single country (e.g., China, Russia) and organizations can come up with a China-for-Chi-na or Russia-for-Russia strategy wherein they leverage the resourc-es within those countries, thereby eliminating complex sup-ply chain issues. A plethora of standards and regulations exist and there needs to be a mechanism to filter out the ones that are required and the ones that are nice to have. In the second stage, the Pareto 20/80 principle can be used to narrow down the number of documents that need to be con-sidered. For example, if a product is to be sold in 10 countries and 80 percent of the revenues is coming from just 20 percent of the countries (20 percent of 10 is 2), then the organization can concentrate its efforts primarily on those two countries. Finally, in the third stage, after the requirements have been narrowed down, they must be prioritized by all the relevant stakeholders. Some considerations for prioritization may in-clude customer needs, time to market, return on investment, and resources available. It is always good practice to consider data privacy require-ments along with other cybersecurity requirements as it eliminates redundancy or additional effort at a later point in time [11]. Governance, risk, and compliance (GRC) tools available in the market can assist in coming up with robust cybersecurity requirements for the product, traceable to var-ious standards and regulations.Oftentimes, there are multiple standards applicable to a prod-uct. In such a scenario it is recommended to go with the most stringent criteria. This allows compliance to the strictest re-quirements while still addressing the less rigorous ones. At the end of this three-stage process one should have a require-ment specification document containing both data security and data privacy requirements for the product [3].
RecommendationsThe following recommendations provide a basic tool kit for addressing data privacy within product development.
38 – ISSA Journal | June 2016
Addressing Data Privacy Regulation & Standards: A Process | Harsha Banavara and Jeffrey Farago
More is not always betterBe judicious in what you collect. Some data that may not be core or essential to your product can push you into highly restrictive territory (e.g., HIPAA, PCI-DSS) [19]. Knowing your end goals and customer needs will limit the variety and quantity of data, making the data privacy scope more limited and simplistic. Once you have determined the type of data to be collect-ed, how are you going to handle it in the most efficient and cost-effective manner? Sometimes organizations go over-board on application of security policies and practices by, for example, encrypting all data. Always remember to apply se-curity wisely as it incurs costs in both money and resources to implement and maintain (e.g., only encrypt sensitive data) [7].
Morphing your dataUnless there is a clear need for attaching an individual to col-lected data, aggregation or anonymization of the data is pre-ferred. This breaks the connection between data and a specif-ic person and takes the information out of the realm of data privacy controls [20].
Securing your imageAn organization can build market goodwill and notoriety based upon its security efforts through communicating data privacy-oriented actions and demonstrating the company is committed to secure handling of its customers’ personal data. A couple of suggested tactics are the use of trust seals on web-sites and publicizing establishment of a binding corporate rule (BCR):
Trust sealsTrust seals or trust marks have been around for quite some time. We have seen them mainly being used in eCom-merce websites. These seals are associated with Transport Layer Security (TLS) and its endorsement on a website en-sures that the website has safe and secure transmission of customer’s payment card information to the vendor. The Privacy Trust Seal is issued to websites that handle cus-tomers’ personal data in compliance with either FIPPs, OECD, GAPP, APEC, etc. [20].
Binding corporate rules (BCR)The EU Commission defines binding corporate rules as “internal rules (such as a code of conduct) adopted by [a] multinational group of companies which define its global policy with regard to the international transfers of person-al data within the same corporate group to entities locat-ed in countries which do not provide an adequate level of protection” (mainly EU to non EU) [17]. BCRs approved by national data protection authorities provide a sufficient level of protection to companies to allow authorization of data transfers across political borders.
These recommendations provide a starting point and can help optimize results. All projects are unique and applicabil-ity of these recommendations must be weighed for relevance, value-add, and suitability.
ConclusionThis stated process will go a long way in bringing data consid-erations to the forefront of the conceptualization and devel-opment processes. Considerations that if ignored or glossed over could place organizations in non-compliance with re-gional- and country-specific rules and regulations, thereby, exposing them to both sanctions and resultant reduced rev-enues from curtailed sales. Additionally, the earlier in the development cycle features and accommodations are incor-porated, the less cost associated with the effort and the more integrated the solution [11]. Such an approach will address the immediate data privacy needs; however, the rapidly changing legislative landscape requires those tasked with remaining in compliance to stay current and informed. Products will sure-ly need to evolve in this topical area, requiring organizations to plan for these changes in strategic road maps. As people in the security realm are aware, there is no such thing as absolute security, only the pursuit of being more secure. Indeed, compliance does not guarantee security. Ad-ditionally, integration of security with data does not ensure data privacy but rather mitigates its loss, and in the end that is the most we can hope for.
References1. AICPA (American Institute of Certified Public Accoun-
tants, Inc.) and CICA (Canadian Institute of Chartered Accountants) Privacy Task Force. 2009. Generally Ac-cepted Privacy Principles (GAPP). Retrieved from http://www.aicpa.org/interestareas/informationtechnology/resources/privacy/generallyacceptedprivacyprinciples/downloadabledocuments/gapp_bus_ 0909.pdf.
2. APEC (Asia-Pacific Economic Cooperation). 2005. APEC Privacy Framework. Singapore: APEC Secretariat. Retrieved from http://www.apec.org/Groups/Commit-tee-on-Trade-and-Investment/~/media/Files/Groups/ECSG/05_ecsg_privacyframewk.ashx.
3. Breaux, T. (Ed.). 2014. Introduction to IT privacy: A Handbook for Technologists. Portsmouth: International Association of Privacy Professionals.
4. “Data Controllers and Data Processors: What the Difference Is and What the Governance Implications Are.” 2014, ICO. Retrieved from https://ico.org.uk/media/for-organisations/documents/1546/data-control-lers-and-data-processors-dp-guidance.pdf.
5. Albright Stonebridge Group, “Data Localization: A Challenge to Global Commerce and the Free Flow of In-formation.” 2015. Albright Stonebridge Group. Retrieved from http://www.albrightstonebridge.com/files/ASG Data Localization Report - September 2015.pdf.
June 2016 | ISSA Journal – 39
Addressing Data Privacy Regulation & Standards: A Process | Harsha Banavara and Jeffrey Farago
ingyoucare.com/wp-content/uploads/2010/10/Summa-ry-of-the-HIPAA-Privacy-Rule-Office-For-Civil-Rights-Privacy-Brief.pdf.
16. Oman, S. 2010. “Implementing Data Protection in Law. Stockholm Institute for Scandinavian Law.” Retrieved from http://www.scandinavianlaw.se/pdf/47-18.pdf.
17. “Overview on Binding Corporate Rules,” p. 1. March 2016. EC. Retrieved from http://ec.europa.eu/justice/data-protection/international-transfers/binding-corpo-rate-rules/index_en.htm.
18. “Security Development Lifecycle: What is the Security Development Lifecycle, p. 1.” 2016. Microsoft. Retrieved from https://www.microsoft.com/en-us/sdl/.
19. Stewart, J. M., Chapple, M., and Gibson, D. CISSP – Cer-tified Information Security Professional (ISC)2: Official Study Guide (7th ed.) page 5. 2015. Indianapolis: John Wiley & Sons.
20. Swire, P. P., and Ahmad, K. 2012. Foundations of infor-mation Privacy and Data Protection. Portsmouth: IAPP Publications.
21. Teufel, H. III. 2008. “Privacy Policy Guidance Memoran-dum: 2008-01(FIPPs).” Washington, D.C.: Department of Homeland Security. https://www.dhs.gov/sites/de-fault/files/publications/privacy_policyguide_2008-01_0.pdf.
22. “The OECD Privacy framework.” 2013. OECD. Retrieved from http://www.oecd.org/sti/ieconomy/oecd_priva-cy_framework.pdf.
23. Vacca, J. R. 2013. Computer and Information Security Handbook (2nd ed.). Waltham: Morgan Kaufmann Publishers.
About the Authors Harsha Banavara, CSSLP, CIPP, Security+, MSc in Software Engineering, is cybersecurity analyst and the global subject matter expert in the “Requirements” stage of Secure Devel-opment Lifecycle at Schneider Electric with eight+ years of experience in information se-curity. He is a member of NEMA IoT Council and IIC Security & Privacy Working Group. He may be reached at [email protected] Farago, CSSLP, CEH, CPT, MSc in Cybersecurity, is cybersecurity director in the Building & IT Business Unit, for Schneider Electric with a 44-year career in product de-velopment, 21 years at Schneider Electric. For the last five years his focus has been on cyber-security. He may be reached at [email protected].
6. Greenleaf, G. 2015. “Global Data Privacy Laws 2015: 109 Countries, with European Laws Now a Minority.” UNSW Law Research Paper No. 2015-21, 1-7. Retrieved from http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2603529.
7. Harris, S. 2013. All in One CISSP Exam Guide (6th ed.). New York: McGraw Hill Education.
8. Howard, M., and Lipner, S. 2006. The Security Develop-ment Lifecycle. Redmond: Microsoft Press.
9. “Joint Statement on the Final Adoption of the New EU Rules for Personal Data Protection.” April 2016. EC. Retrieved from http://europa.eu/rapid/press-release_STATEMENT-16-1403_en.htm.
10. Kissel, R., Regenscheid, A., Scholl, M., and Stine, K. 2014. “NIST SP800-88 Rev1: Guidelines for Media Sani-tization.” US Department of Commerce. Retrieved from http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-88r1.pdf.
11. Kissel, R., Stine, K., Scholl, M., Rossman, H., Fahlsing, J., and Gulick, J. October 2008. “NIST SP800-64 Rev2: Security Considerations in the System Development Life Cycle.” US Department of Commerce. Retrieved from http://dx.doi.org/10.6028/NIST.SP.800-64r2.
12. Liber, A. 2016. “Hungarian DPA’s 2015 Annual Report and Enforcement Statistics Indicate Increased Activity.” Baker Inform. Retrieved from http://www.bakerinform.com/home/2016/4/11/hungarian-dpas-2015-annual-re-port-and-enforcement-statistics-indicate-increased-ac-tivity.
13. McCallister, E., Grance, T., and Scarfone, K. 2010. “NIST SP800-122: Guide to Protecting the Confidentiality of Personally Identifiable Information (PII), p. ES-1” US Department of Commerce. Retrieved from http://csrc.nist.gov/publications/nistpubs/800-122/sp800-122.pdf.
14. Joint Task Force Transformation Initiative. 2013. “NIST SP800-53, Rev. 4: Security and Privacy Controls for Federal Information Systems and Organizations.” US Department of Commerce. Retrieved from http://dx.doi.org/10.6028/NIST.SP.800-53r4.
15. “OCR Privacy Brief: Summary of the HIPAA Privacy Rule.” 2010. DHHS. Retrieved from http://www.help-
Easy and Convenient!
www.issa.org/storeComputer Bags • Short-Sleeve Shirt • Long-Sleeve Shirt • Padfolio • Travel Mug • Baseball Cap • Fleece Blanket • Proud Member Ribbon • Sticky Note Pads
40 – ISSA Journal | June 2016
Addressing Data Privacy Regulation & Standards: A Process | Harsha Banavara and Jeffrey Farago
Blockchain: The Legal IndustryBy R. S. Tumber – ISSA member, UK Chapter
This article introduces the impact of blockchain technology upon the legal services industry.
which law firms can secure client data is sometimes highly dependent upon the client’s requirement. Clients will likely be utilizing blockchain within their businesses. In order to provide legal advice to clients, lawyers will need to under-stand blockchain, its advantages, disadvantages, potential impact with existing laws/regulations, introducing new laws/regulations, etc. [1][6][8].
“The blockchain will be to banking, law, and accountancy as the Internet was to media,
commerce, and advertising. It will lower costs, disintermediate many layers of business,
and reduce friction.”Joichi Ito, Director at MIT and early investor in Flickr
and Twitter [8]
How blockchain worksIn simple terms, blockchain is a distributed method of track-ing and transferring assets online without the need of a trust-ed entity. It is the technology backbone of public platforms associated with smart contracts such as Ethereum. Ethereum was one of the first public blockchain organizations to offer a platform utilizing smart contracts.A public blockchain platform (PBP) is a distributed database/ledger that maintains a continuously growing list of data re-cords, possessing a tamper-evident data structure. A block-chain implementation is comprised of two forms of records [13][14]:• Transactions: A transaction is the actual data to be stored
in the blockchain, which is created by a participant using the system in a typical business day. In the case of law-yers, a transaction involves the confirmation and settling of contractual arrangements.
• Blocks: A block is a record that confirms when and in what order certain transactions became logged as part of the blockchain database. Hence, timestamps are included within blocks. A block is created by users known as “min-ers” who use specialist software/equipment designed spe-cifically to create blocks.
Transactions are confirmed by the network within an approx-imate time period, and this process is handled by the miners.
AbstractHaving associated with those linked with the world’s larg-est law firms, it is clear that the concept of blockchain is not significantly understood. The Harvard Business Review [15] identified blockchain as one of their top technology trends to watch out for in 2016, concluding that it will disrupt en-tire industries. Blockchain is a key area of innovation that will become increasingly significant for lawyers in the future (e.g., utilizing self-executing smart contracts). Clients will in-creasingly be deploying blockchains within their businesses. Therefore, to continue providing relevant advice, lawyers will need to understand the blockchain, its associated benefits, risks, and impact. This article introduces the impact of block-chain technology upon the legal services industry.
Background
When a transaction is conducted with an unknown party, we “trust” in this transaction because we know we have support from the jurisdiction’s le-
gal system. Similarly, we may “trust” an intermediary (e.g., a bank) as part of a financial transaction. In either case, we are confident in dealing with the unknown party because of the trust we put into centralized entities.Blockchain allows parties to digitally sign legally binding documents and preserve a private record of their signed doc-ument in the blockchain. Blockchain’s decentralized public ledger allows the document to be signed, time-stamped, and verified for authenticity. This decentralized attribute removes reliance upon a centralized entity, while enabling entities to engage in “trustless” transactions.While blockchain technology won’t replace lawyers, the tech-nology will transform some significant functions (based on trust) traditionally carried out by lawyers such as contract drafting, administration, enforcement, and corporate gover-nance. Blockchain’s capability for encryption and authenti-cation in legal documents is a key innovation for establishing trust. The technology is relevant to lawyers because it can be used to replace anything that needs a signature (e.g., business licenses, property titles, birth certificates, etc.).Similar with the introduction of the Internet, blockchain seems to be a rapidly evolving, yet highly disruptive technol-ogy that needs to be understood by lawyers. The manner in
June 2016 | ISSA Journal – 41
ISSA DEVELOPING AND CONNECTING CYBERSECURITY LEADERS GLOBALLY
Mining is utilized to confirm transactions in a shared con-sensus system, which typically requires multiple independent confirmations for the transaction to go through. While the miners have traditionally been random network users, they may soon be replaced by a handful of trusted verification partners. Therefore, a group of law firms may agree that the ledger becomes official once computers from several group members agree to a record set of transactions. Each node/computer possesses a complete or partial copy of the blockchain. Each new block is connected to every prior block in a digital chain. So the record of every transaction lives on the nodes of the miners, and it’s updated with each new entry. This is why the blockchain is also referred to as a distributed or a decentralized ledger. This replication makes the blockchain secure. The only way to tamper with it would be to seize control of most of the computers possessing the blockchain in their memories, which miners name the “51 percent attack.”All confirmed transactions are embedded in the blockchain. The use of SHA-256 cryptography (or other cryptographic algorithm used in the proof-of-work) ensures the integri-ty of the blockchain applications, preventing modification. All transactions must be signed using a private key or seed, which prevents the transactions from being tampered.Below, are descriptions of the above words in bold:• Mining: Mining is the process of making computer hard-
ware conduct mathematical calculations for the network (e.g., Ethereum) to confirm transactions and increase se-curity. Not every user of the network will carry out the mining.
• Cryptography: Cryptography is a science in creating mathematical proofs to provide high level of security. It is widely used in online commerce, banking, and by the military/intelligence services.
• Signed/signature: A cryptographic signature is a mathe-matical mechanism that permits someone to prove own-ership. In the case of a public blockchain platform (PBP) (e.g., Ethereum) a smart contract and its private keys are linked by advanced mathematics. When the PBP signs a transaction with the appropriate private key, the entire network can see that the signature matches the smart con-tract. It is extremely difficult for someone to guess the pri-vate key in order to uncover sensitive data from the smart contract.
• Private keys: A private key is a secret piece of data that proves your right to use sensitive data—in this case, it could be your right to sign a smart contract via a cryp-tographic signature.
Smart ContractsBlockchain allows the creation for “smart contracts,” which are agreements written in code and enforced by software via pre-programmed conditions. When the conditions are met, the blockchain executes the contract and conducts the trans-
action. So in essence, a smart contract is a software tool that replaces all or part of a contract, or the contracting life cycle. With smart contracts facilitating trade in our mobile, digi-tally-connected world, they can reduce business costs and re-duce consumer prices. The following software can be used to create smart contracts [2]: Counterparty,1 Ethereum,2 BurstCoin,3 Codius, 4 BitHa-lo,5 and BlackHalo.6
Breach preventionThis example of a smart contract relates to digital rights man-agement (DRM). If Alice purchases and downloads a song from iTunes, she possesses a contract with Apple—a copy-right license as specified in Apple’s T&Cs. The contract spec-ifies that Alice has a limited license, so the song she down-loaded can only be used on a particular number of devices. If Alice breaches the license, the software will block her at-tempt. Hence, software (via pre-programmed conditions) is enforcing the specific terms of the contract. This software is a “smart contract.”Blockchain furthers the development of the smart contract concept and enables automatic enforcement.
Multi-signature transactionLet’s consider a multi-signature transaction. In this form of transaction, “X” number of parties are given digital keys to release funds to Alice when certain conditions are met. The parties with the digital keys are unable to access the funds, but when “Y” of the total “X” number of parties agree that the requisite conditions are met, the funds are released to Al-ice. This form of transaction is advantageous for managing escrows, mediation, and shared finances. When multi-signa-ture transactions are time-locked (the release of funds or oth-er action is automatically executed based on a time param-eter), the transactions can be executed according to a given time (e.g., executing wills and trusts). When multi-signature transactions are data-locked, the release of funds or other
1 Counterparty – http://counterparty.io.2 Ethereum – https://www.ethereum.org.3 BurstCoin – http://burstcoin.info.4 Codius – https://codius.org.5 BitHalo – https://bithalo.org.6 BlackHalo – http://blackhalo.info.
“This technology offers a great opportunity for those firms who can innovate. Those firms
that are willing to adapt and embrace this technology will be able to provide more effec-tive and efficient services, which will lead to a competitive advantage over those firms who
do not evolve.”Joe Dewey & Shawn Amuial, Holland & Knight [4]
42 – ISSA Journal | June 2016
Blockchain: The Legal Industry | R. S. Tumber
action can be automatically executed, based on a real-world event.
Credit enforcementIf Alice fails to make repayments on her credit agreement, the smart contract could disable Alice’s product. For exam-ple, let’s assume microwaves are integrated with the Internet of things. If Alice fails to make repayments on her new mi-crowave, the device could completely disable itself, and alert the retailer to collect it immediately. If the device was a car instead, perhaps it would drive itself back to the showroom.
“We envisage smart contracts being revolu-tionary in...litigation across the world. This is just the beginning of a game-changing imple-
mentation and execution of contracts. Ulti-mately, the technology is now in place for any
contract to be a smart contract.”Richard Howlett, Selachii [10]
The drafting of smart contracts by lawyers may resemble computer programming by developers. For example, consid-ering the microwave example above, a smart credit agree-ment may look like the following [4][5]:
#include credit library #include blockchain library Var Debtor = Microwave Corp. Var Creditor = Microwave Lender New Document = new Credit Agreement.create {debt-or:Debtor, creditor:Creditor, type:working capital} New Document.interest = Libor(30 day) New Document.fincovenants = Debt_Yield(3), LTV(60)
Issuance of land recordsBlockchain can be exceptional in assisting with resolving land disputes in various countries. The transparent nature of blockchain could make it possible to not only see who owns a particular piece of land at a given point in time, but to transfer and track the ownership of the land over a period of time. Honduras, one of the poorest countries in the Ameri-cas, started developing a secure land title record system using blockchain technology in 2015 to combat rampant land title fraud.7
Tracking leasesBlockchain can be used to keep track of leased assets and as-sociated documentation as they move between leassees. Such assets may include property, buildings, vehicles, industrial equipment, etc. When the asset is transferred to another lea-see, it would be tagged with a cryptographic signature. This
7 Gertrude Chavez-Dreyfuss, Honduras to Build Land Title Registry Using Bitcoin Technology, Reuters (May 15, 2015) – http://in.reuters.com/article/usa-honduras-technology-idINKBN0O01V720150515.
signature could be used to program keys issued to the new owner of the asset so only he or she can enter/use the asset.
Proof of existenceBlockchain possesses a proof-of-existence function that en-ables cryptographic algorithms to verify that a document has not been modified after its inclusion in the blockchain. This can aid lawyers with intellectual property registration, land title registration, recording leases and mortgages, and recording shareholder agreements [3].
Downside of blockchainAlthough blockchain offers an array of innovative and cost-cutting advantages for organizations, there are some drawbacks [3][9]:• As with much technology, there can drawbacks. As trans-
actions in smart contracts are initiated automatically and immediately, transactions can be difficult to modify or re-verse as soon as they’re programmed. This is a problem if a need arises to cancel a smart contract.
• Considering the anonymity of blockchain users, if Person X wishes to sue Person Y after a dispute, Person X may have difficulty trying to determine the identity of Person Y.
• As mentioned earlier, using blockchain in the legal indus-try may require lawyers to learn basic to intermediate pro-gramming skills, in order to draft and implement smart contracts. They would also need to fully understand block-chain, so they can adequately advise clients.
• Blockchain will displace the individuals and institutions that provide settlement services. Banks, title companies, and lawyers will be among those to feel the backlash of blockchain. However, where one door closes, another door may open.
• Blockchain enables us to enter into contracts in a less ex-pensive and more secure manner, maintain property reg-isters, conduct banking transactions, and more. However, these present legal issues within the following areas (be-low). Therefore, the existing regulatory frameworks will have to evolve in order to support blockchain technology:• Banking and Finance: Considering the vast experi-
ments with blockchain by banking institutions, they know this technology could possibly replace banks as financial intermediaries. The current regulation will need to adapt classifications of currencies, com-modities, and property. Additionally, issues relating to taxation and money laundering will need to be ad-dressed.
• Physical and Intellectual Property: Domestic title registries could be replaced due to blockchain’s ability to track changes in asset ownership and the licensing of intellectual property.
June 2016 | ISSA Journal – 43
Blockchain: The Legal Industry | R. S. Tumber
7. J. Quigley, Bloomberg BNA Conference Underscores Blockchain Impact on Law Firms, (2016) – http://www.smithandcrown.com/bloomberg-bna-conference-block-chain-impact-law-firms/.
8. M. Milnes, Blockchain: A Tech Trend for Business Law-yers in 2016, (2015) – https://www.linkedin.com/pulse/blockchain-tech-trend-business-lawyers-2016-michael-milnes.
9. P. Alderman, Blockchain - Emerging Legal Issues, (2015) – http://www.lexology.com/library/detail.aspx?g=6e-5a942e-94ea-4891-a07c-a9d96343dc95.
10. G. Caffyn, London Law Firm to Digitise Contracts Us-ing Bitcoin Technology, (2015) – http://www.coindesk.com/london-law-firm-to-digitise-contracts-using-bit-coin-technology/.
11. P. Vigna, Delaware Considers Using Blockchain Technology, (2016) – http://www.wsj.com/articles/delaware-considers-using-blockchain-technolo-gy-1462145802.
12. L. Parker, Delaware to ‘embrace the emerging block-chain and smart contract technology industry,’ with distributed ledger shares, (2016) – http://bravenew-coin.com/news/delaware-to-embrace-the-emerg-ing-blockchain-and-smart-contract-technology-indus-try-with-distributed-ledger-shares/.
13. Bitcoin Project, Bitcoin, (2015) – https://bitcoin.org/en/.
14. J. Brito and A. Castillo, Bitcoin: A Primer for Policy-makers, (2015) – http://mercatus.org/sites/default/files/Brito_BitcoinPrimer.pdf.
15. A.Webb, 8 Tech Trends to Watch in 2016, (2015) – https://hbr.org/2015/12/8-tech-trends-to-watch-in-2016.
16. IC3, Initiative for Cryptocurrencies & Contracts, (2016) – http://www.initc3.org/.
17. C. Metz, Tech and Banking Giants Ditch Bitcoin for Their Own Blockchain, (2015) – http://www.wired.com/2015/12/big-tech-joins-big-banks-to-create-alterna-tive-to-bitcoins-blockchain/.
About the AuthorAs well as being a cyber security specialist, Rajinder Tumber is a two-time finalist for the “Personality of the Year” award in the cybersecurity industry, and a finalist for the “IT Manager of the Year” award from Com-puting and BCS – The Chartered Institute for IT. Rajinder Tumber is also a sci-fi/fantasy novelist, and he participates in exclusive cy-ber-related roundtables, thought-leadership, mentoring, and public-speaking events. He may be reached at [email protected].
• Contract Law: As mentioned earlier, as smart con-tracts self-execute it would be difficult to void these in the event of duress, mistake, or misrepresentation.
ConclusionBlockchain is a rapidly evolving and innovate technology, one that will drastically change human interactions, regula-tory frameworks, traditional practices, and more. Despite the downside of blockchain, law firms are already experimenting with it. To meet the blockchain community’s growing need for scien-tific leadership, an academic consortium has been launched: Initiative for CryptoCurrencies and Contracts (IC3). Led by Cornell University in New York, IC3 researches how to create self-enforcing contracts with blockchain technology [16]. Additionally, termed as the Open Ledger Project and over-seen by the not-for-profit Linux Foundation, several major organizations from the technology and financial industries (including IBM, Intel, London Stock Exchange Group, and JP Morgan) have joined forces to create another version of the blockchain [17]. Could the Magic Circle (the five leading law firms headquartered in the United Kingdom) and/or other law firms, form their own version of the blockchain too?Management within law firms need to be educating them-selves about the changes to come—similar to those conver-sation in the 1990s regarding the Internet. Now, it’s time to talk about the new technologies, ranging from big data to… blockchain technology.
References1. S. Troy, Blockchain Technology to Disrupt Financial,
Legal Fields, (2016) – http://searchcio.techtarget.com/feature/Blockchain-technology-to-disrupt-financial-le-gal-fields.
2. D. Walsh, A Beginner’s Guide to Smart Contracts, (2015) – http://cryptorials.io/a-beginners-guide-to-smart-con-tracts/.
3. Liou, Using Bitcoin’s Blockchain Technology in Legal Practice, (2016) – http://stlr.org/2016/03/28/using-bit-coins-blockchain-technology-in-legal-practice/.
4. J. Dewey & S. , Blockchain Technology Will Trans-form the Practice of Law, (2015) – https://bol.bna.com/blockchain-technology-will-transform-the-practice-of-law/.
5. C. Sullivan, How Will Blockchain Technology Change the Practice of Law, (2016) – http://blogs.findlaw.com/technologist/2016/02/how-will-blockchain-technology-change-the-practice-of-law.html.
6. C. Reisenwitz, How Bitcoin Blockchain Technology Could Impact Lawyers, (2015) – http://blog.capterra.com/how-bitcoin-blockchain-technology-could-im-pact-lawyers/.
44 – ISSA Journal | June 2016
Blockchain: The Legal Industry | R. S. Tumber