eei : cybersecurity law conference
Post on 03-Jan-2016
39 Views
Preview:
DESCRIPTION
TRANSCRIPT
EEI: Cybersecurity Law Conference
Lisa J. SottoHunton & Williams LLP(212) 309-1223lsotto@hunton.comwww.huntonprivacyblog.com
October 24, 2014
Paul M. TiaoHunton & Williams LLP(202) 955-1618ptiao@hunton.com
The Privacy and Cybersecurity Teamat Hunton & Williams
• Over 25 privacy professionals in the U.S., EU and Asia• Our privacy clients have included 6 of the Fortune 10• Representing clients across multiple industry sectors, including
energy, retail, transportation, consumer products, publishing, financial services, technology, advertising, health care and pharmaceutical
• Centre for Information Policy Leadership at Hunton & Williams• www.HuntonPrivacyBlog.com• @hunton_privacy
Roadmap
• Introduction• Cyber Threat Landscape – Setting the Stage• The Legal and Policy Environment
– U.S.– EU
• Lessons Learned
3
A Sampling of Recent Global Headlines
4
1 August 2013Another wave of DDOS attacks on Financial Institutions launched but deemed to have little impact
2 December / January 2013
Several U.S. retailers and a UK announce significant credit card breaches
6 May 2014
Ebay Breach – investigations in the US and UK anticipated
4 April 2014 Target CEO resigns; the company’s breach response cited as a contributing factor
7 May 20143 April 2014Heartbleed bug announced – related breaches uncovered
5 May 2014French Telco reports 2nd breach in past several months
Worst data breach in German history identified; 18+ million email passwords compromised
The Cyber Threat Landscape
• Threat Actors• Threat Vectors• Targeted Information and Systems
5
A Year In Review• Recent Compromises
– Target – Neiman Marcus– Michaels– The UPS Store– Goodwill– The Home Depot– JPMorgan Chase
• Recent Government Activity– Congressional inquiries– Calls for FTC action– PLA indictment
6
Legislative and Policy Environment
• Congressional attempts to pass cybersecurity legislation– Numerous efforts to pass a cybersecurity law– Key legislative issues – Failure to pass legislation in 2012 provided impetus for the 2013
Executive Order on Improving Critical Infrastructure Cybersecurity
7
Executive Order on Improving Critical Infrastructure Cybersecurity
• Cybersecurity Framework – Voluntary program, including incentives
• Information sharing• Identification of critical infrastructure for which a cybersecurity attack
could have catastrophic effects• Agencies to determine whether existing regulations are sufficient and
take regulatory action to address deficiencies• Use of the federal procurement process to encourage contractors to
enhance information security practices• Consideration of privacy and civil liberties issues
8
Cybersecurity Framework• NIST published final version of Cybersecurity Framework on Feb. 12, 2014
– Framework Core– Implementation Tiers– Framework Profile– Privacy appendix in preliminary Framework (Oct. 2013) stricken from final
• Extensive public input– Five widely-attended workshops– Request for Information– Many comments on the preliminary version of the Framework
• Likely benchmark in regulatory, enforcement and litigation context• Future workshops and versions
9
A Life-Cycle Methodology
10
Function Categories
6 Functions, 22 Categories, 98 Sub Categories
Identify – Asset management, business environment, governance, risk assessment, risk management
Protect – Access control, awareness & training, data security, process & procedures, maintenance, protective technologies
Detect – Anomalies & events, continuous monitoring, detection processes
Respond – Response planning, communications, analysis, mitigation, improvement
Recover - Recovery planning, improvements, communications11
Framework Profile
12
* This same roadmap visualization can be applied to the categories and sub-categories within each function.
Electric Utility Issues
• Industrial Control Systems• Smart Grid• Information Sharing Groups
– Electricity Subsector ISAC– Downstream Natural Gas ISAC
• Cyber insurance for operational technology
13
Federal Agency Information-Sharing Programs
• DHS– National Cybersecurity and Communications Integration Center (NCCIC)
• US-CERT• ICS-CERT
– Cybersecurity Information Sharing and Collaboration Program (CISCP)• FBI
– Cyber Division & FBI Field Offices– National Cyber Investigative Joint Task Force– National Cyber and Forensics Training Alliance– Domestic Security Alliance Council– InfraGard
• DOE– Cybersecurity Risk Information Sharing Program (CRISP)
14
Public-Private Information Sharing Issues
• Standard Agreements– DHS Cooperative Research and Development Agreement– FBI Memorandum of Agreement and Non-Disclosure Agreements
• Information sharing rules and procedures• Information handling restrictions• Protection from disclosure under FOIA• Implications for regulatory enforcement• Prosecutorial implications• Privacy risks
15
Data Security Rules
• Federal Law– FTC Act– Gramm-Leach-Bliley– HIPAA/HITECH– FACTA Disposal Rule
• State Requirements– MA, NV, CA and progeny– Breach notification laws
• Industry Standards– PCI DSS – ISO– NIST
16
Utility-Specific Cybersecurity Requirements
• Version 5 Critical Infrastructure Protection Reliability Standards– Expanded scope of covered cyber systems– Categorization of systems by impact on reliability– Enforcement date – April 2016
• NERC Physical Security Standards
17
Legal Obligations• Understand your legal obligations arising out of a cyber event
– Breach notification and other obligations• State, federal, international law• Industry standards• Contractual obligations• SEC reporting
18
State Breach Notification Requirements
• Generally, the duty to notify arises when unencrypted computerized “personal information” was acquired or accessed by an unauthorized person
• “Personal information” generally is an individual’s name plus:– Social Security number– Driver’s license / state ID card number or– Account, credit or debit card number, along with password or
access code• Service providers must notify data owners of security breaches and
some states require “cooperation” with the data owner
19
Variations in State Breach Laws
– Definition of PI
– Computerized v. paper data
– Notification to state agencies
– Notification to CRAs
– Timing of individual notification
– Harm threshold
– Content of notification letter
– Preemption
– New CA requirements
20
SEC Cybersecurity Guidance
• Companies are not disclosing enough– The SEC is cracking down
• Vast majority of companies that did address cyber issues used only boilerplate language – Some hacking victims said nothing
• Disclosures often don’t give a genuine sense of the risk– Cyber attacks are included as one of many potentially
catastrophic events
21
SEC Enforcement Efforts
• SEC is now formally investigating companies’ cyber disclosures– Focused on whether investors appropriately informed– Probes are not public– Target is reported to be facing scrutiny– Prospect of enforcement actions
22
EU Cybersecurity: Regulatory Efforts
• On February 7, 2013, the EC issued a draft directive on cybersecurity • Once adopted, member states will have 18 months to implement the Directive• The aim of the Directive is to
– Achieve European cyber resilience– Drastically reduce European cybercrime– Develop common European cyber defense policies and resources– Establish a coherent European cyberspace policy and promote core EU values
• The Directive would require EU competent authorities to cooperate, share information, and coordinate responses
23
EU Cybersecurity: Breach Reporting
• The Directive would require companies in “critical” sectors to adopt strict network security standards and report “significant” cybersecurity incidents
• The proposals encompass a broad section of industry sectors, including non-essential services such as YouTube and Spotify
• The proposals do not clearly distinguish between targeted cybersecurity incidents and other types of breaches
• The breach reporting requirements are not harmonized with existing and anticipated breach reporting requirements under the EU E-Privacy Directive and the proposed EU General Data Protection Regulation
24
Global Breach Notification Requirements
• Breach notification requirements and guidance emerging across the world– 30+ countries outside the U.S. now require or strongly
recommend notification• Federal and provincial standards in Canada• Several countries in Europe (including Germany)• All major countries in Asia and Oceania (including Australia,
Hong Kong, India)
25
Data Breach Response Timeline
26
Event Mobilize Legal Posture Law Enforcement
Stabilize Investigate Legal Analysis Notify
Regulatory Response Lawsuits Review & Improve
1
2
8
7
6
5
4
3
9
10
11
27
Paul M. TiaoPartner
Hunton & Williams LLP(202) 955-1618
ptiao@hunton.com
Lisa J. SottoPartner
Chair, Privacy and Cybersecurity Practice
Hunton & Williams LLP(212) 309-1223
lsotto@hunton.com
top related