Cybersecurity And The PSAP

Alan S. Tilles, Esquire Chairman, Cybersecurity Practice Group

Shulman Rogers Gandal Pordy & Ecker, P.A.

atilles@shulmanrogers.com

Who Are We?

• Full Service Law Firm In Potomac, Maryland • Counsel To Small & Large Business, Transit &

Public Safety Agencies • Significant Practice Area In Wireless

Communications For Business & Public Safety, Including In-Building Communications

• Cybersecurity Compliance Analysis, Review Of WISP Programs & Representation In Breach Litigation

You Are A Target!

• Size Doesn’t Matter, They’re Coming For You For Fun, For Profit, Or For Mischief

• Your Goals (Regardless Of Size) Should Be To:

–Prevent

–Respond

–Mitigate

Tools That You Can Use

• NIST Cybersecurity Framework

• FCC Cyber Planner

– http://www.fcc.gov/cyberplanner

• Other Industries Have Similar Resources To Assist In Putting Together Cyber Plans

CoCCCCompliance

• Have A Plan In Place That Takes Reasonable Steps To Prevent And Respond To Data Breaches – Be Proactive

• Do An Assessment Of The Risk Within (And Outside Of) Your Organization – Do You Order Take-Out?

• What Do You Do To Keep Your Software Current – Oracle Software Glitch Made TONS Of Personal Information From Many

Institutions Readily Available » http://www.washingtonpost.com/blogs/the-

switch/wp/2014/10/17/stop-worrying-about-mastermind-hackers-start-worrying-about-the-it-guy/

– Develop & Implement The Plan • Strong Passwords Are Not Enough • “Leaving It To The IT Guys” Can Result In Legal Requirements Falling

Between The Cracks

– Formalize & Publicize The Plan To Staff

State Law Compliance

• What Is The Law In Your State? – California, Connecticut, Florida, Maryland, Massachusetts And Oregon

Require A Written Information Security Program (WISP)

• Massachusetts & California Very Stringent – New California Law As Of September 30, 2014

• Now Includes Data Brokers

– New Florida Law As Of June, 2014 – Washington State Updated Early 2015

• In Maryland, You Must: – Implement And Maintain Reasonable Security Procedures And

Practices – Have A Written Contract With Any Third Party Service Provider That

You Use That Provides That The Third Party Also Takes Reasonable Measures

What Is Reasonable?

• Will Vary By State And Area Of Business – Be Aware Of Your State’s Definition Of:

• Personal Information – Nevada – Social Security Number, Driver’s License Number (Or NV I.D.), Credit

Card Number, Debit Card (With PIN) – Florida – Also Medical Info, Health Insurance Info Or Number, AND ANY LOGIN

INFO FOR SOCIAL MEDIA SITES OR APPS – Wyoming Includes Biometric Information

• Breach Of Information

– In Maryland, A Breach Of Personal Information Is: • The Release Of A Person’s Name; • In Combination With Social Security Number (Or Similar Info); • If Not Encrypted, Redacted Or Other Method Used Which Renders

Info Unreadable Or Unusable – MA Requires PII To Use Firewalls, Current Virus Software And Up-To-Date

Patch Management

What Is Reasonable?

• Under MA Law: – Reasonable Security Requires:

• Comprehensive, Written Information Security Plan (WISP) • That Contains Physical, Technical And Administrative

Safeguards • That Are Appropriate To The Company (Size, Complexity,

Nature And Scope Of Activities, Sensitivity Of Information) • That Address Specified Categories Of Controls • And Are Reasonably Designed To:

– Ensure The Security, Confidentiality, And Integrity Of The Covered Information, And

– Protect Against Any Anticipated Threats Or Hazards To The Security Or Integrity Of That Information

Respond To A Breach

• What Law Governs What You Have To Do?

– State, Local And/Or Federal

• Notify According To Law

– You Have Out Of State Customers, The Law Of Your State AND Their State Applies

– Important, Go Through Outside Counsel (Not In-House Counsel) In Discussing Breaches With Outside Vendors

• Protects Attorney/Client Privileged Information

Respond To A Breach

• Who Does The Notification? – Who Owns The Information?

• Should Be Clear In Vendor Contracts

• Do You Immediately Notify? – Not Necessarily (State Law)

• Within The Most Expedient Time Possible And Without Unreasonable Delay (CA, NJ)

• As Soon As Practicable (MD)

• Whom Do You Tell First? – Often Before You Tell The Consumer, You Need To Tell

The State • The State Will Check With Law Enforcement

Respond To A Breach

• When Do You Notify?

– Within The Most Expedient Time Possible And Without Unreasonable Delay (CA, NJ)

– As Soon As Practicable (MD)

• What Do You Tell The Customer Or Employee?

– MD (For Example)

• Description Of Categories Of Info Breached

• Information About How To Contact Attorney General, FTC, Credit Reporting Agencies

• Use Plain Language

Respond To A Breach

• How Do You Notify?

– MD, Your Choice

• Mail To Last Known Address

• E-mail Under Certain Circumstances

• Phone

• Alternative

– Be Careful What You Say/Admit

• Don’t Create A Litigation Trail

Mitigate

• Can The Government Prosecute You For A Breach? – Yes!

• Several Federal Agencies May Take Action – FCC vs. TerraCom, Inc.

• $10 Million Fine For Violation Of Section 201(b) And 222(a) Of Communications Act – Failure To Protect Customer Proprietary Network Information (CPNI)

– AT&T Settlement

• In Some States, Aggrieved Individual Also Has A Cause Of Action – Actual Evidence Of Harm Not Required In All States

• However, Horizon Healthcare Case (Federal Court) Says Actual Harm Must Be Demonstrated In Order To Have Standing

Liability

• Basis Of Lawsuit By Individual? – Statutory Consumer Protection Laws And These Torts:

• Invasion Of Privacy • Theft • “Trespass To Chattels & Unjust Enrichment”

• Measuring Damages – Proving Theft Damages & “Unjust Enrichment” Is Possible – Proving Harm For Invasion of Privacy Or For Trespass, When There Is No

Monetary Loss – Much More Difficult

• “Statutory Damages” - States Quantify Harm For The Consumer, As A Baseline – MD – Violations Are Considered An Unfair Or Deceptive Trade Practice – Consumer Does Not Have To Prove Either Deception Or Damage

• Up To $1000 Per Person For First Violation • Up To $5000 Per Person For Subsequent Violations • Attorneys Fees If Consumer Brings It Him/Herself (Or Can Ask State To Do It For

You)

Federal Law

• Despite Efforts, No Comprehensive Federal Cybersecurity Law – However, Review NIST Cybersecurity Framework For

Developed Good Practice Standards • Will Be Relevant In Any Breach Litigation

• Other Potentially Relevant Federal Law – COPPA – Children’s Online Privacy Protection Act – CFAA – Computer Fraud Abuse Act Criminalizes:

• Hacking Protected Government Computers & Info • Hacking Bank And Credit Reporting Information

– FACTA - Fair And Accurate Credit Transactions Act – HIPPA – Health Insurance Portability & Accountability Act

Liability Defense

• Your Defense – You’re Compliant With Relevant Law – Remember, ALL Relevant Law (States,

Federal, Agency)

–NIST Guidelines Followed, Too?

• Should You Get Cyber Insurance? –Most Existing Insurance Policies Do NOT

Include Data Breach Coverage

– Currently A Wild, Wild West

Cyber Insurance

• Coverage Should Include: – Forensic Investigation – Computer & Data Loss Replacement/Restoration – Business Interruption – Public Relations Expenses – Notification & Credit Monitoring Expenses – Losses From Electronic Threat & Fraud Protection – Losses From Ramsomware Attacks – Coverage To Pay Outside Attorneys To Defend Above

Or Pay Fines – Losses From Third Party Failures

Conclusions

• Take This Seriously

• Take Action Now To Protect Your Assets

• Create Law Compliant Procedures Now

• Pay Attention To The Experiences Of Others

– Target

– Neiman Marcus

– Schnucks

– Universities Of Maryland And Indiana

Thank You!

Alan S. Tilles, Esquire Shulman, Rogers, Gandal, Pordy & Ecker, P.A.

12505 Park Potomac Ave., 6th Floor

Potomac, Maryland 20854

atilles@shulmanrogers.com

www.shulmanrogers.com