Presentation for

Data Protection 2003South Eastern Europe

Conference on Regional SecurityThrough Data Protection

December 1-2, 2003

Cybercrime, Cyber Security, & Privacy:

The 3-Legged Stool

JODY R. WESTBY, Esq. The Work-IT Group

December 1-2, 2003

The International Legal Landscape

Cybercrime, Privacy & Cyber Security Are Global Issues; 200 Countries Connected to Internet

Cybercrime, Privacy & Security of Information Infrastructure Important to National & Economic Security Interests

Industrialized Countries Addressing; Developing Countries Lagging

International Legal Framework Highly Inconsistent

© JODY R. WESTBY, Esq. The Work-IT Group December 1-2, 2003

Nexus Between Cyber Security, Privacy, & Cybercrime

Major Component of Cyber Security is Ability to Protect Against Unauthorized Access & Disclosure; Enterprise Approach Needed; Must be Able to Deter, Detect, Obtain Evidence

Privacy & Security BreachesAre Cybercrimes; Laws Deter, Enable Prosecution

Privacy Dependent upon Security;Driven by Laws, Culture

CybercrimePrivacy

Security

© JODY R. WESTBY, Esq. The Work-IT Group December 1-2, 2003

American Bar Association Privacy & Computer Crime Committee

Section of Science & Technology Law 3 Publications:International Guide to Combating CybercrimeAvailable now

International Corporate Privacy HandbookTo be published early 2004

International Strategy for Cyberspace SecurityTo be published early 2004

© JODY R. WESTBY, Esq. The Work-IT Group December 1-2, 2003

Approach to Publications

Written with public/private participation

Involvement of lawyers, industry representatives, government personnel, NGOs, academia, international participants

Working Groups

Plenary review of all text

Heavily footnoted, live links, readable citations

© JODY R. WESTBY, Esq. The Work-IT Group December 1-2, 2003

Privacy/

Data Protection

© JODY R. WESTBY, Esq. The Work-IT Group December 1-2, 2003

Data Held by Both Public & Private Entities

Perception & Assumption of Privacy v. Reality

Differing Legal Protections

No Global Uniform Approach

Data Protection in the Electronic Age

© JODY R. WESTBY, Esq. The Work-IT Group December 1-2, 2003

Technology Has Removed Cloak of Privacy

Credit card records

Computers in automobiles (Event Data Recorders)

GPS system data

Telephone records and utility bills

ISP traffic data

Web site cookies

Surveillance cameras

Data mining software

There are few corners of life without a digital fingerprint

© JODY R. WESTBY, Esq. The Work-IT Group December 1-2, 2003

Data Protection Against What?

Theft of Data

Unauthorized Disclosure of Data

Inappropriate, Illegal Use of Data

Fraud

Corruption or Sabotage of Data© JODY R. WESTBY, Esq. The Work-IT Group December 1-2, 2003

Avenues of Protection

Constitutions

Statute or Regulation

Court or Administrative Decisions (Common Law)

Confidential & Proprietary Information

Classic Intellectual Property & Trade Secret

Contract & Non-Disclosure Agreement

© JODY R. WESTBY, Esq. The Work-IT Group December 1-2, 2003

Other Legal Considerations

Tracking and Tracing

Common Law Rights

Monitoring in the Workplace

Disclosure of Personal Information, Tort Actions

Freedom of Information Act, Information Sharing

Computer Crime Laws - Prosecutorial Thresholds, Evidentiary Requirements

Jurisdictional Issues

© JODY R. WESTBY, Esq. The Work-IT Group December 1-2, 2003

Enforcement: U.S. Model LinksPrivacy & Security

Federal Trade Commission Rulings Require 4-Part Program:

1. Designating Appropriate Personnel to Oversee Privacy/Security Program

2. Identifying Reasonably Foreseeable Internal & External Risks to Security, Confidentiality, & Integrity of Personal Information

3. Conducting an Annual Written Review by Qualified Persons

4. Adjusting Program to Fit Findings From Reviews, Monitoring, Operational Changes

© JODY R. WESTBY, Esq. The Work-IT Group December 1-2, 2003

A Global Approach is Needed

U.S. Sectoral Approach v. Universally Applicable for Collection, Use, Dissemination of Personal Information

Regulatory Enforcement v. Privacy Commissioner International Legal Framework Varied EU Data Protection Directive Has Had Greatest Impact Interconnected Network Demands International Approach:

(1) national and international initiatives

(2) consistent global framework

(3) accepted best practices and resources

(4) implementation of effective privacy & security programs

(5) technological considerations.

© JODY R. WESTBY, Esq. The Work-IT Group December 1-2, 2003

Best Resource

American Bar Association’s International Corporate Privacy Handbook

To be published early 2004

Complimentary Copies to Developing CountriesEmail: westby@work-itgroup.com or

westby@mindspring.com © JODY R. WESTBY, Esq. The Work-IT Group December 1-2, 2003

Cyber Security

© JODY R. WESTBY, Esq. The Work-IT Group December 1-2, 2003

A Strategy for Cyberspace Security

“An international strategy for cyberspace security is only possible through the evolution of consistent practices, international cooperation, and the involvement of all users—public and private, large and small. Each user must accept the responsibilities for cyber security attendant to their system.”

International Strategy for Cyberspace Security

© JODY R. WESTBY, Esq. The Work-IT Group December 1-2, 2003

A Strategy for Cyberspace Security

Categories of infrastructure to be protected

Key legal parameters and international initiatives

Information on best resources and practices

Guidance on the development of a complete security program

Implementation and technological considerations

© JODY R. WESTBY, Esq. The Work-IT Group December 1-2, 2003

Enterprise Security Program:Plans, Policies & Procedures

Security Plan: Overall Strategic Document that Serves as the “Business Plan” for Securing an Organization’s Information, Systems, and Networks

Security Policies: Components of the Security Plan that Define how the Organization’s Data, Applications, and Network are to be Secured. Policies are High-Level Statements that are Relatively Static and Empower and Enforce Security Procedures.

Security Procedures: Move the Policies into Action Through the Organizations People and Processes.

© JODY R. WESTBY, Esq. The Work-IT Group December 1-2, 2003

Development of a Security Plan

Governance Structure Senior Management & Boards of DirectorsCross-Organizational Security TeamPersonnelChange Management

Classification DataApplicationsNetwork & Systems

Legal Considerations & RisksCompliance RequirementsJurisdictional DifferencesContracts, NDAsConfidential, Proprietary Information & Due Diligence

Main Elements

© JODY R. WESTBY, Esq. The Work-IT Group December 1-2, 2003

American Bar Association’s

International Strategy for Cyberspace Security

To be published early 2004

Complimentary Copies to Developing CountriesEmail: westby@work-itgroup.com or

westby@mindspring.com

Best Resource

© JODY R. WESTBY, Esq. The Work-IT Group December 1-2, 2003

Cybercrime

© JODY R. WESTBY, Esq. The Work-IT Group December 1-2, 2003

Cybercrime Laws Vary in Form and Penalties/Punishment

Industrialized Nations’ Laws Protect Computer & Communication Systems and Data Transiting & Residing In These Systems

Cybercrime Laws Generally Apply To:

Use of computers & Internet for illegal purposes (viruses, hacking, unauthorized acts)

Crimes against communication systems Crimes facilitated by the use of a computer Wiretap, pen register, and trap and trace laws to

protect privacy and facilitate investigations

© JODY R. WESTBY, Esq. The Work-IT Group December 1-2, 2003

Combating Cybercrime Is Multifaceted

Requires Effective Cybercrime Laws

Has Jurisdictional Considerations

Requires International Cooperation in Investigations and Prosecution

Search & Seizure of Electronic Evidence Requires Expertise and Cooperation

Public and Private Sector Cooperation Important© JODY R. WESTBY, Esq. The Work-IT Group December 1-2, 2003

Cybercrime Laws Important for Developing Countries

Confidentiality, Integrity, & Availability of Data & Networks Central to Attracting FDI and ICT Operations

Protect Integrity of Government & Reputation of Country

Keep Country from Becoming Haven for Bad Actors, Repositories of Data

Instill Market Confidence & Certainty Regarding Business Operations

Provide Protection for Protected Information

Protect Consumers & Assist Law Enforcement, Intelligence Gathering

Deter Corruption

Increase National Security & Reduce Vulnerabilities

Provide a Means for Prosecution and Civil Action for Cybercrimes

Increase the Likelihood Electronic Evidence Will be Available© JODY R. WESTBY, Esq. The Work-IT Group December 1-2, 2003

Cybercrime Laws Protect Citizens

Help Protect Freedom of Expression, Human Rights, & Other International Rights

Enhance Statutory & Constitutional Rights (rights to privacy, protections on search/seizure & self-incrimination)

Help Ensure Citizen Use of ICTs, Access/Exchange Information

Strengthen Consumer Confidence Against Fraud

© JODY R. WESTBY, Esq. The Work-IT Group December 1-2, 2003

Consistent International Legal Framework is Emerging

U.S., Europe, G8, Council of Europe are Global Leaders

CoE Convention on Cybercrime

EU Ministers of Justice adopted the Proposal for a Council Framework Decision on attacks against information systems on March 4, 2003.

G8 Ten Principles to Combat High-Tech Crime Action Plan to Combat High-Tech Crime 24/7 Point of Contact Network (30 countries) Okinawa Charter on Global Information Society

© JODY R. WESTBY, Esq. The Work-IT Group December 1-2, 2003

Jurisdictional Issues Possible for Cyber Criminal to be Physically Located in One Country,

Weave an Attack Through Multiple Countries & Computers, and Store Evidence on Servers in yet Another Country

Victims May be All Over Globe

Internet Borderless but Law Enforcement Must Stop at Borders

Substantive & Procedural Laws of Countries May Conflict

Letters Rogatory & MLATs

Dual Criminality Requirements Very Problematic

Needs to be Way to Secure Extradition; Extradition Treaties One Method

© JODY R. WESTBY, Esq. The Work-IT Group December 1-2, 2003

Global Needs

Model Cybercrime Laws

Increased Participation by Developing Countries

Increased Donor Assistance in Cybercrime Laws

Training Programs for Law Enforcement, Prosecutors

International Initiative to Promote Cooperation

Multinational Initiatives to Address Jurisdictional Issues, Cooperation of Law Enforcement, Search & Seizure of Electronic Evidence

Improved Tracking & Tracing Capabilities

Improved Communications & Shared Initiatives Between Policymakers, Technical Bodies, Private Stakeholders, Law Enforcement

© JODY R. WESTBY, Esq. The Work-IT Group December 1-2, 2003

Best Resource

American Bar Association’s International Guide to Combating Cybercrime

http://www.abanet.org/abapubs/books/cybercrime/

Complimentary Copies to Developing CountriesEmail: westby@work-itgroup.com or

westby@mindspring.com

© JODY R. WESTBY, Esq. The Work-IT Group December 1-2, 2003

American Bar Association Privacy & Computer Crime Committee

Section of Science & Technology Law 3 Publications:International Guide to Combating CybercrimeAvailable now

International Corporate Privacy HandbookTo be published early 2004

International Strategy for Cyberspace SecurityTo be published early 2004

© JODY R. WESTBY, Esq. The Work-IT Group December 1-2, 2003

ABA Privacy & Computer Crime Committee3 Guides “Connect the Dots”

Understand Nexus Between Privacy, Security & Cybercrime

Understand Developing Global Legal Framework

Identify Best Practices, Standards, Resources Available

Understand How to Implement Complete Privacy & Security Program (protect, secure, enforce)

Understand Science & Technological Considerations

© JODY R. WESTBY, Esq. The Work-IT Group December 1-2, 2003

The Work-IT Group

THANK YOU!