cybersecurity: staying on top of changes in laws and ... 4 draft cybersecurity framework 1.1 •...
TRANSCRIPT
1/23/2017
1
© 2015 Morgan, Lewis & Bockius LLP
Cybersecurity: Staying on Top of Changes inLaws and Regulations and the Role ofGovernment in Promoting EffectiveCybersecurity
Mark Krotoski
Jan. 25, 2016Cybersecurity and Data Privacy Law ConferenceThe Center for American and International Law
Presenter: Mark Krotoski
• Litigation partner in the Privacy and Cybersecurity and Antitrust practices.
• Served as the National Coordinator for the Computer Hacking and Intellectual Property(CHIP) Program in the Department of Justice (DOJ) in Washington, D.C., and as a CHIPprosecutor in Silicon Valley, among other DOJ leadership positions.
• Successfully led prosecutions and investigations of nearly every type of international anddomestic computer intrusion, cybercrime, and criminal intellectual property cases.Specialized on foreign economic espionage cases involving the theft of trade secrets with theintent to benefit a foreign government. He and his team successfully prosecuted two of thefirst foreign economic espionage cases authorized by DOJ under the Economic EspionageAct.
• Advises clients on developing effective Cybersecurity and Trade Secret Protection Plans andin responding to a data breach incident or misappropriation of trade secrets. He has writtenextensively on these issues.
2
Phone: 650-843-7212;
Email: [email protected]
1/23/2017
2
Note
• Comments during this presentation are based upon publicly availableinformation and on general observations and experience and not on anyparticular facts or specific cases.
• The views expressed during this presentation are those of the speaker,and not necessarily those of Morgan Lewis or any firm clients.
3
Overview
• Increasingly regulated environment
– Tension in complying with disparate cyber standards
– New emerging standards in multiple jurisdictions
– International standards
• Concurrent jurisdiction by multiple enforcers
• Proliferating, divergent cybersecurity standards
• Government role in promoting effectivecybersecurity
4
1/23/2017
3
NIST Cybersecurity Framework
• Voluntary flexible approach
• Collaboration with industry
• Focused on critical infrastructures
• Widely adopted
5https://www.nist.gov/sites/default/files/documents/cyberframework/cybersecurity-framework-021214.pdf
NIST Cybersecurity Framework
6
NIST Framework, http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214-final.pdf
1/23/2017
4
Draft Cybersecurity Framework 1.1
• Public comment on draft Framework Version 1.1 by April 10th, 2017 [email protected]
– Workshop to be convened
– Final Framework Version 1.1 issued around Fall 2017
7
Draft Framework Specific CommentQuestions
• Are there any topics not addressed in the draft Framework Version 1.1that could be addressed in the final?
• How do the changes made in the draft Version 1.1 impact thecybersecurity ecosystem?
• For those using Version 1.0, would the proposed changes impact yourcurrent use of the Framework? If so, how?
• For those not currently using Version 1.0, does the draft Version 1.1 affectyour decision to use the Framework? If so, how?
• Does this proposed update adequately reflect advances made in theRoadmap areas?
• Is there a better label than “version 1.1” for this update?
• Based on this update, activities in Roadmap areas, and activities in thecybersecurity ecosystem, are there additional areas that should beadded to the Roadmap? Are there any areas that should be removed fromthe Roadmap?
8
1/23/2017
5
Comparing NIST Cybersecurity Frameworkwith FTC Requirements
9https://www.ftc.gov/news-events/blogs/business-blog/2016/08/nist-cybersecurity-framework-ftc
“If I comply with the NIST Cybersecurity Framework, am I complying with whatthe FTC requires?” From the perspective of the staff of the Federal TradeCommission, NIST’s Cybersecurity Framework is consistent with theprocess-based approach that the FTC has followed since the late 1990s,the 60+ law enforcement actions the FTC has brought to date, and theagency’s educational messages to companies, including its recent Start withSecurity guidance.
Comparing NIST Framework with FTCRequirements
10https://www.ftc.gov/news-events/blogs/business-blog/2016/08/nist-cybersecurity-framework-ftc
1/23/2017
6
Federal Laws
• Federal Trade Commission– Section 5 (unfair and deceptive practices)
– Gramm-Leach Bliley Act Safeguards Rule (financialservices)
– COPPA (children’s information)
• SEC– Reg S-P Safeguarding Rule
– Reg S-P Disposal Rule
• HHS Office for Civil Rights– Health Insurance Portability and Accountability Act (“HIPAA”)
11
FTC Request for More Authority
“The FTC supports federal legislation that would:
(1) strengthen its existing authority governing datasecurity standards on companies and
(2) require companies, in appropriate circumstances, toprovide notification to consumers when thereis a security breach.”
Legislation “should give the FTC the ability to seek civilpenalties to help deter unlawful conduct, jurisdiction overnon-profits, and rulemaking authority under theAdministrative Procedure Act.”
12
FTC Chairwoman Edith Ramirez, Statement on Data Breach on the Rise: Protecting
Personal Information From Harm before the Senate Committee On Homeland Security
And Governmental Affairs (April 2, 2014)
1/23/2017
7
SEC Cybersecurity Disclosures
13http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm
Federal Financial Institution Regulations
• Advance Notice of Proposed Rulemakingon Enhanced Cyber Risk ManagementStandards
• Board of Governors of the FederalReserve System, the Office of theComptroller of the Currency, and FederalDeposit Insurance Corporation
• Five categories of cyber standards:
– Cyber risk governance
– Cyber risk management
– Internal dependency management
– External dependency management
– Incident response, cyber resilience, andsituational awareness
• Comment Period: February 17, 2017
14
1/23/2017
8
Federal Role
• What is the role of the federal government on cybersecurity?
– Leadership
– Government and private industry balance
• Will new, specific federal cybersecurity standards be adopted?
– Particularized standards
• Given the proliferating standards at various levels of government,will federal preemption ultimately be necessary to remove theunnecessarily complex, costly and cumbersome data breachnotification maze and other regulatory standards?
15
Increasing Enforcement and RegulatoryScrutiny
• Data BreachNotification
• New HighlyPrescriptiveRegulations
• ReasonableCybersecurity
16
1/23/2017
9
51 Data Breach Notification Jurisdictions
17
Core PI or PII Definition
• "Personal information" means either of the following:
• (1) An individual's first name or first initial and last name incombination with any one or more of the following data elements, wheneither the name or the data elements are not encrypted or redacted or areencrypted or redacted but the keys to unencrypt or unredact or otherwiseread the name or data elements have been acquired without authorizationthrough the breach of security:
(A) Social Security number.
(B) Driver's license number or State identification card number.
(C) Account number or credit or debit card number, or an accountnumber or credit card number in combination with any required security code,access code, or password that would permit access to an individual's financialaccount.
18
1/23/2017
10
Expanding PII Definition
• "Personal information" means either of the following:
• (1) An individual's first name or first initial and last name in combination withany one or more of the following data elements, when either the name or the dataelements are not encrypted or redacted or are encrypted or redacted but the keys tounencrypt or unredact or otherwise read the name or data elements have beenacquired without authorization through the breach of security:
(A) Social Security number.
(B) Driver's license number or State identification card number.
(C) Account number or credit or debit card number, or an account number orcredit card number in combination with any required security code, access code, orpassword that would permit access to an individual's financial account.
(D) Medical information.
(E) Health insurance information.
(F) Unique biometric data generated from measurements or technicalanalysis of human body characteristics used by the owner or licensee to authenticatean individual, such as a fingerprint, retina or iris image, or other unique physicalrepresentation or digital representation of biometric data.
19
815 ILCS 530/5, Section 5 [Illinois House Bill 1260]
Expanding PII Definition
• "Personal information" means either of the following:
(1) An individual's first name or first initial and last name incombination with any one or more of the following data elements, when eitherthe name or the data elements are not encrypted or redacted or areencrypted or redacted but the keys to unencrypt or unredact or otherwiseread the name or data elements have been acquired without authorizationthrough the breach of security:
....
(2) User name or email address, in combination with apassword or security question and answer that would permit accessto an online account, when either the user name or email address orpassword or security question and answer are not encrypted or redacted orare encrypted or redacted but the keys to unencrypt or unredact or otherwiseread the data elements have been obtained through the breach of security.
20
815 ILCS 530/5, Section 5 [Illinois House Bill 1260]
1/23/2017
11
Expanding PII Definition
• Adding Usernames or Email Addresses
– California (2014)
– Florida (2014)
– Wyoming (2015)
– Nebraska (2016)
– Nevada (2016)
– Illinois (2017)
21
Encryption Safe Harbor
• Cal. Civil Code § 1798.29 (Jan. 2017) [Assembly Bill 2828]
• Disclosure of the breach:
– (1) whose unencrypted personal information was, or is reasonablybelieved to have been, acquired by an unauthorized person, or,
– (2) whose encrypted personal information was, or is reasonably believed tohave been, acquired by an unauthorized person and the encryption key orsecurity credential was, or is reasonably believed to have been, acquiredby an unauthorized person and the agency that owns or licenses theencrypted information has a reasonable belief that the encryption key orsecurity credential could render that personal information readable or useable.
22
1/23/2017
12
Encryption Safe Harbor
• "Personal information" means either of the following:
(1) An individual's first name or first initial and last name incombination with any one or more of the following data elements, when eitherthe name or the data elements are not encrypted or redacted or areencrypted or redacted but the keys to unencrypt or unredact orotherwise read the name or data elements have been acquiredwithout authorization through the breach of security:
....
(2) User name or email address, in combination with a password orsecurity question and answer that would permit access to an online account,when either the user name or email address or password or security questionand answer are not encrypted or redacted or are encrypted or redactedbut the keys to unencrypt or unredact or otherwise read the dataelements have been obtained through the breach of security.
23
815 ILCS 530/5, Section 5 [Illinois House Bill 1260]
MassachusettsData Breach Notification Archive
24http://www.mass.gov/ocabr/press-releases/2017/ocabr-data-breach-archive.html
1/23/2017
13
Public Data Breach Notification Websites
25http://www.doj.state.or.us/releases/Pages/2016/rel010716a.aspx
Public Data Breach Notification Websites
26
1/23/2017
14
HHS Office for Civil Rights
27https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
Increasing Enforcement and RegulatoryScrutiny
• Data BreachNotification
• New HighlyPrescriptiveRegulations
• ReasonableCybersecurity
28
1/23/2017
15
NY Department of Financial Services
29http://www.dfs.ny.gov/about/press/pr1609131.htm
“[A]nnounced that a new first-in-the-nation regulation has been proposed toprotect New York State from the ever-growing threat of cyber-attacks. Theregulation requires banks, insurance companies, and other financial servicesinstitutions regulated by the State Department of Financial Services to establishand maintain a cybersecurity program designed to protect consumers andensure the safety and soundness of New York State’s financial servicesindustry.”
NY Department of Financial Services
• Written Risk Assessment– Annually
• Written Cybersecurity Policy– Addressing “at minimum” 14 areas
– Reviewed by board
– Approved by Senior Officer
• Written Incident Response Plan
• CISO Biannual Report for Board– Available to superintendent upon
request
• Third party information securitypolicy
• Cybersecurity awareness training– Updated to reflect annual risk
assessment
30http://www.dfs.ny.gov/about/press/pr1609131.htm
• Cybersecurity audit records– Maintained for at least 6 years
• Testing– Annual penetration testing and risk
assessments
– Quarterly vulnerability assessments
• NYDFS Notification– Within 72 hours of certain
“Cybersecurity Events”, defined as“any act or attempt, successful orunsuccessful, to gain unauthorizedaccess to, disrupt or misuse anInformation System or informationstored on such Information System”
• Annual Certification– Board annually review the
cybersecurity program and submit aCertification of Compliance
1/23/2017
16
NYDFS Update and DelayedImplementation
31http://www.dfs.ny.gov/about/press/pr1612281.htm
“The proposed regulation, which will be effective March 1, 2017, will requirebanks, insurance companies, and other financial services institutions regulatedby DFS to establish and maintain a cybersecurity program designed to protectconsumers and ensure the safety and soundness of New York State’s financialservices industry.”
Increasing Enforcement and RegulatoryScrutiny
• Data BreachNotification
• New HighlyPrescriptiveRegulations
• ReasonableCybersecurity
32
1/23/2017
17
33
•What constitutes reasonable cybersecurity?
What is unreasonable?
What constitutes “unfair cybersecurity practices”?
Enforcement and Regulatory Focus
Major CaseFTC v. Wyndham Worldwide Corp.
Complaint allegations:
• Hotels stored payment card information in clearreadable text
• Use of easily guessed passwords to access theproperty management systems
• Failed to use firewalls to “limit access”
• Failed to ensure that the hotels implemented“adequate information security policies andprocedures”
• Failed to “adequately restrict” the access ofthird-party vendors to its network and theservers
• Failed to employ “reasonable measures todetect and prevent unauthorized access” to itscomputer network or to “conduct securityinvestigations”
• Failed to follow “proper incident responseprocedures.
34
1/23/2017
18
FTC v. Wyndham Worldwide Corp. (3d Cir.)
• Section 5 prohibits “unfair ordeceptive acts or practices in oraffecting commerce”
• ”Unfair cybersecurity practices”
• Open issue before Third Circuit: Canoverstating cybersecurity policieslead to deception claim?
35799 F.3d 236 (3d Cir. 2015)
FTC v. Wyndham Worldwide Corp.
36
“Today’s Third Circuit Court of Appeals decision reaffirms the FTC’sauthority to hold companies accountable for failing tosafeguard consumer data. It is not only appropriate, but critical,that the FTC has the ability to take action on behalf of consumerswhen companies fail to take reasonable steps to securesensitive consumer information.”
https://www.ftc.gov/news-events/press-releases/2012/06/ftc-files-complaint-against-wyndham-hotels-failure-protect
1/23/2017
19
FTC Reasonableness Standard
• Reasonable cybersecurity practices based on
– Volume and sensitivity of information the company holds
– Size and complexity of the company’s operations
– Cost of the tools that are available to addressvulnerabilities
– Other factors
37https://www.ftc.gov/news-events/blogs/business-blog/2016/08/nist-cybersecurity-framework-ftc
Statutory Reasonableness Standard
• Cal. Civ. Code § 1798.81 businesses must take “reasonablesteps to dispose, or arrange for the destruction of customerrecords within its custody or control containing personalinformation.”
• Cal. Civ. Code § 1798.81.5 businesses that “own” or“license” personal information about a California residentmust “implement and maintain reasonable securityprocedures and practices appropriate to the nature ofthe information, to protect the personal information fromunauthorized access, destruction, use modification, ordisclosure.”
38
1/23/2017
20
Reasonable Security Standard
• Maryland Code of Comm. Law §14–3503.
(a) To protect personal information from unauthorized access, use,modification, or disclosure, a business that owns or licenses personalinformation of an individual residing in the State shall implement and maintainreasonable security procedures and practices that are appropriate to thenature of the personal information owned or licensed and the nature and sizeof the business and its operations.
(b) (1) A business that uses a nonaffiliated third party as a serviceprovider to perform services for the business and discloses personalinformation about an individual residing in the State under a written contractwith the third party shall require by contract that the third party implementand maintain reasonable security procedures and practices that:
(i) Are appropriate to the nature of the personal informationdisclosed to the nonaffiliated third party; and
(ii) Are reasonably designed to help protect the personalinformation from unauthorized access, use, modification, disclosure, ordestruction.
39
California Presumption
• RECOMMENDATION 1:The 20 controls in the Center forInternet Security’s CriticalSecurity Controls define aminimum level of informationsecurity that all organizationsthat collect or maintain personalinformation should meet. Thefailure to implement all theControls that apply to anorganization’s environmentconstitutes a lack ofreasonable security.
40https://oag.ca.gov/sites/all/files/agweb/pdfs/dbr/2016-data-breach-report.pdf?
1/23/2017
21
PROLIFERATING,DIVERGENTCYBERSECURITYSTANDARDS
Concurrent Jurisdiction
• Recent cases:
– Federal Trade Commission
– Securities and Exchange Commission
– State Attorneys General
– U.S. Department of Justice
42
1/23/2017
22
Differing State Notification Standards
• What form of notice is required?
– Email notification
– Substitute notice
• What consequences andpenalties?– Private right of action
• Any there any industry-specificrequirements?– Insurance (GA, KS, ME, MT)
– Medical records (CA, LA)
– Financial institutions (MN)
– Public utilities (MI)
43
• Who must be notified?
– Customers
– Government
• When must they be notified?
– Reasonable notice
– Delayed notification
• What data (PII) triggersnotification?
• What constitutes a “databreach”?
– What exemptions?
– Any reasonable likelihood of harm?
Form of Notice
Including but not be limited to:
• The consumer's right to obtain a police report
• How a consumer requests a security freeze and the necessaryinformation to be provided when requesting the security freeze, and
• Any fees required to be paid to any of the consumer reporting agencies
But the notice “shall not include”:
• The nature of the breach or unauthorized acquisition or use
• The number of residents of the commonwealth affected by said breachor unauthorized access or use.
Mass. Gen. Laws § 93H-1(3)(b)
44
1/23/2017
23
Form of Notice
• Specific notice requirements
– Plain language, titled “Notice of Data Breach”
– Use “the following headings:
– “What Happened”
– “What Information Was Involved”
– “What We Are Doing”
– “What You Can Do”
– “For More Information”
– Format “designed to call attention to the nature andsignificance of the information”
– Title and headings “clearly and conspicuously displayed”
– Text “no smaller than 10-point type”
45Cal. Civ. Code § 1798.82(d)(1)
Delayed Law Enforcement Notification
• “The notification required by this act may be delayed if a law enforcement agencydetermines and advises the entity in writing specifically referencing this sectionthat the notification will impede a criminal or civil investigation. The notificationrequired by this act shall be made after the law enforcement agency determines thatit will not compromise the investigation or national or homeland security.”
Pennsylvania Breach of Personal Information Notification Act, 73 P.S. § 2304
• “(b) If a federal, state, or local law enforcement agency determines that notice toindividuals required under this subsection would interfere with a criminalinvestigation, the notice shall be delayed upon the written request of the lawenforcement agency for a specified period that the law enforcement agencydetermines is reasonably necessary. A law enforcement agency may, by asubsequent written request, revoke such delay as of a specified date or extend theperiod set forth in the original request made under this paragraph to a specified dateif further delay is necessary.”
Florida Information Protection Act, Fla. Stat. § 501.171(4)(b)
46
1/23/2017
24
Data Security and Breach Notification Actof 2015 (H.R. 1770)
• March 25, 2015
• House Energy and CommerceSubcommittee on Commerce,Manufacturing, and Trade
• Bipartisan introduction
– Energy and CommerceCommittee Vice ChairmanMarsha Blackburn (R-TN)
– Rep. Peter Welch (D-VT)
47
• National standard to maintain reasonablesecurity to protect and secure personalinformation
– Technology and process neutral standard with flexibilityfor innovation and new technologies
• Notification not later than 30 days
– Unless there is no reasonable risk of identity theft,economic loss, economic harm, or financial fraud
– Delayed notification for law enforcement or nationalsecurity purposes
• FTC and State AG enforcement
– Violation is an unfair and deceptive act or practiceunder the FTC Act
• No private right of action
• Not preempt privacy law
Data Security and Breach Notification Actof 2015 (H.R. 1770)
48https://energycommerce.house.gov/news-center/press-releases/data-security-solution-moves-forward
1/23/2017
25
State Attorney General Opposition
49http://www.naag.org/assets/redesign/files/sign-on-letter/Final%20NAAG%20Data%20Breach%20Notification%20Letter.pdf
State Preemption Provisions
• § 899-aa. Notification; person without validauthorization has..., NY GEN BUS § 899-aa
• 9. “The provisions of this section shall beexclusive and shall preempt any provisionsof local law, ordinance or code, and no localityshall impose requirements that are inconsistentwith or more restrictive than those set forth in thissection.”
50
1/23/2017
26
State Preemption Provisions
• 73 P.S. § 2306 Preemption
• “This act deals with subject matter that is ofStatewide concern, and it is the intent of theGeneral Assembly that this act shallsupersede and preempt all rules,regulations, codes, statutes orordinances of all cities, counties,municipalities and other local agencieswithin this Commonwealth regarding thematters expressly set forth in this act.”
51
State Preemption Provisions
• Mich. Comp. Laws § 445.72
• (18) “This section deals with subject matter that isof statewide concern, and any charter, ordinance,resolution, regulation, rule, or other action by amunicipal corporation or other political subdivisionof this state to regulate, directly or indirectly, anymatter expressly set forth in this section ispreempted.”
52
1/23/2017
27
Call for Harmonization
• RECOMMENDATION 5:State policy makers shouldcollaborate to harmonizestate breach laws on somekey dimensions. Such aneffort could reduce thecompliance burden forcompanies, while preservinginnovation, maintainingconsumer protections, andretaining jurisdictionalexpertise.
53https://oag.ca.gov/sites/all/files/agweb/pdfs/dbr/2016-data-breach-report.pdf?
Harmonization is Not Occurring
• Inevitable nuances
• Many years to harmonize even assuming there is agreement
• Disparate standards will invite pre-emption and efforts topromote uniformity
54
1/23/2017
28
Role of Government on Cybersecurity
• How to incentivize effective cybersecurity practices?
– How much carrot and how much stick?
• Given limited resources, what are the costs andburdens of compliance?
• Is cybersecurity meaningfully enhanced?
– Recognizing no “one size fits all” and need forflexibility and options
55
Cybersecurity Regulatory Principles
• How is effective cybersecurity incentivized and promoted by the proposedregulation?– Can the objectives be accomplished through guidance or voluntary standards?
– What costs and burdens are imposed by the proposed regulation?
• What flexibility allows for tailored cybersecurity solutions?– No “one-size-fits-all approach to managing cybersecurity risk”
• What existing regulatory standards apply?– What justifies new standards?
– Is there any reason the standards cannot be harmonized?
• Will any new standards become obsolete based on new technology andevolving standards?– Why freeze the regulatory standards into law?
– Why impose certain regulatory standards in a changing technological environment?
• What input does the private sector provide on the standards?
56
1/23/2017
29
Questions
57
Mark L. Krotoski
Washington, DCtel. +202.739.5024
Silicon Valley, Californiatel. +650.843.7212
This material is provided as a general informational service to clients and friends of Morgan, Lewis & Bockius LLP. It does not constitute, and should not beconstrued as, legal advice on any specific matter, nor does it create an attorney-client relationship. You should not act or refrain from acting on the basis of thisinformation. This material may be considered Attorney Advertising in some states. Any prior results discussed in the material do not guarantee similar outcomes.Links provided from outside sources are subject to expiration or change.
© 2015 Morgan, Lewis & Bockius LLP. All Rights Reserved.
THANKYOU
58
1/23/2017
30
ASIA
Almaty
Astana
Beijing
Singapore
Tokyo
EUROPE
Brussels
Frankfurt
London
Moscow
Paris
MIDDLE EAST
Dubai
NORTH AMERICA
Boston
Chicago
Dallas
Harrisburg
Hartford
Houston
Los Angeles
Miami
New York
Orange County
Philadelphia
Pittsburgh
Princeton
San Francisco
Santa Monica
Silicon Valley
Washington, DC
Wilmington
59