Protecting Your Business: Best Practices for Implementing a Legally Compliant Cybersecurity Program Trivalent Solutions Expo June 19, 2014

Transcription

1 Protecting Your Business: Best Practices for Implementing a Legally Compliant Cybersecurity Program Trivalent Solutions Expo June 19, , Mika Meyers Beckett & Jones PLC All Rights Reserved Presented by: Jennifer A. Puplava Mika Meyers Beckett & Jones PLC 900 Monroe Avenue NW Grand Rapids, MI (616) jpuplava@mmbjlaw.com

2 Why Worry About Cybersecurity? Internet crime is increasing in frequency and severity. Daily business is increasingly being conducted via the internet. Companies want to take advantage of new technologies. Many fail to acknowledge, recognize, or keep pace with escalating cybersecurity risks.

3 Key Cybersecurity Worries Mobility. Cybercrime and cyber warfare. Social attacks. Attacks on PC, server and cloud. Big Data. Cross-border concerns. Uneducated use of technology.

4 Source of Threats Outsiders Hackers (looking for financial gain). Hacktivits (on ideological missions). Terrorists/organized crime. Competitors. Government.

5 Source of Threats Insiders Current/former employees. Current/former service providers, consultants, contractors. Suppliers/customers. Business partners. Information brokers. Different motivations: Disgruntled. Careless. Uneducated.

6 Range of Harms from Cybersecurity Breach Potential harm to business, consumers and the public. Loss of Integrity. Identity theft. Tainted data. Affected operations. Loss of Access/Availability. Loss of Confidence. Disclosure of Confidential Information. Compromised customer, user or employee records. Compromised trade secrets or other proprietary information. Third party liability. Regulatory action/enforcement.

7 Benefits of a Good Cybersecurity Program Protected data. Increased efficiency of operations and financial control. Minimize risk of damage caused by cybersecurity breach. Minimize risk of third party/regulatory action relating to cybersecurity breach. Protected reputation.

8 Cybersecurity Standards Cybersecurity regulations and laws are a moving target. Currently there is a patchwork quilt of federal and state laws addressing cybersecurity, but no broad federal cybersecurity legislation. It can be easy to get lost among the many standards purporting to govern cybersecurity.

9 Cybersecurity Standards Federal Laws Examples of Industry/Business-Specific Security Laws requiring protection of systems and information. Financial institutions (Financial Services Modernization Act of 1999, Gramm-Leach Bliley Act, Federal Financial Institutions Examination Council standards). Healthcare providers (HIPAA, HITECH). Federal agencies, or those who provide services on their behalf (Federal Information Security Management Act, Homeland Security Act). Family Educational Rights and Privacy Act (FERPA). Payment Card Industry Data Security Standards (PCI-DSS). SEC reporting requirements.

10 Cybersecurity Standards State Laws Trade secrets (e.g. Michigan Uniform Trade Secret Act) require reasonable security measures be taken. Social Security Number Privacy Act (in Michigan and other states). Data Breach Notification (e.g. Michigan Identity Theft Protection Act). Freedom of Information Act. Some state laws (e.g. California) require that businesses maintain a reasonable level of security.

11 Cybersecurity Standards International Laws More comprehensive guidance regarding security issues. Legislative development in several countries. European Union directives Data protection. E-privacy. Critical infrastructures. Commission on a Cybersecurity Strategy of the European Union. Commission Proposal for a Directive Concerning Measures to Ensure a High Common Level of Network and Information Security Across the Union.

12 Other Cybersecurity Standards and Resources Contractual requirements. Information security management system standards published by International Organization for Standardization and International Electrotechnical Commissions (e.g. ISO/IEC regarding Information security management systems). Information Security Forum Standards of Good Practice. Now available for sale to the general public. Comprehensive list of best practices for information security. Atlantic Council (cybersecurity resources focusing on international and state issues). SANS Institute computer security training programs.

13 Examples of the Alphabet Soup of Privacy Regulations Electronic Communications Privacy Act (ECPA). Critical Infrastructure Information Act (CIIA). Fair Credit Reporting Act (FCRA). Fair Debt Collection Practices Act (FDCPA). Children s Online Privacy Protection Act (COPPA). Computer Fraud and Abuse Act (CFAA). Telephone Consumer Protection Act (TCPA). The Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM).

14 Best Guidance To Date: NIST Framework NIST Framework for Improving Critical Infrastructure Cybersecurity. Voluntary set of standards. Good starting point for developing best practices. Aimed at reducing and better managing cybersecurity risks. Could be used as a standard for evaluating reasonableness of an organization s cybersecurity program.

15 NIST Framework Not a checklist. Contains suggested steps for establishing or improving a cybersecurity program. Offers a common set of activities to anticipate and mitigate against cyber attacks. Users can create a profile to describe their current and desired states. Framework Core includes Functions, Categories, Subcategories, and Informative References.

16 NIST Framework 2014, Mika Meyers Beckett & Jones PLC All Rights Reserved

17 NIST Framework Informative References describe specific cybersecurity activities common across critical infrastructure sectors. Draws from a range of standards, guidelines and practices. Illustrates a method to achieve the outcomes associated with each Subcategory. More information regarding the Framework can be found at

18 Best Practices in Creating a Cybersecurity Program The process of creating a cybersecurity program will be different for each organization no one-size-fits-all approach. Involve all levels of authority in creating a cybersecurity program. IT staff cannot be alone in this effort. Organization should identify its business objectives and priorities.

19 Best Practices in Creating a Cybersecurity Program Identify and prioritize corporate information assets. Inventory: Where data resides; The type of data collected; Type and location of equipment and devices used; Who can access the data; How and what sensitive information is transmitted to third parties; What information is retained and for how long.

20 Best Practices in Creating a Cybersecurity Program Assess legal requirements regarding ability to: Collect and retain information from employees, customers, and third parties. Use and share collected information. Secure collected information. Dispose of collected information.

21 Best Practices in Creating a Cybersecurity Program Evaluate risk of data loss. Identify threats and vulnerabilities to corporate systems and assets. Follow organization s established risk management process. NIST Guide for Conducting Risk Assessments. FTC requires reasonable risk assessment. Evaluation should include assessment of cybersecurity risk of outsourced functions.

22 Best Practices in Creating a Cybersecurity Program Reacting to problems Identify gaps in protection or legal compliance. Create an action plan to address the gaps.

23 Best Practices in Creating a Cybersecurity Program Acting proactively Draft a security policy/plan. Address cybersecurity in vendor agreements. Consider cyber-insurance coverage. Accurately describe information sharing in customer Terms of Service and Privacy Policies. Implement technical, administrative, and physical controls using cost/benefit analysis. Train employees, and develop procedures for newly hired and exiting employees.

24 Contractual Approaches to Minimizing Liability Vendor Contracts: Agreement should describe the services to be provided by the vendor, and address the following: Requirements regarding use, disclosure, storage, protection and disposal/return of confidential, sensitive, and protected information. Clarify ownership of data and information. Responsibility for compliance with applicable laws and regulatory requirements. Reporting/notification obligations in the event of a breach, and who pays the cost of the breach. Right to direct, participate in, or receive updates regarding breaches. Indemnification, and other provisions addressing liability for damages caused by security breaches. Use of subcontractors. Vendor s business continuity/disaster recovery plans. Service levels.

25 Contractual Approaches to Minimizing Liability Customer Contracts: Agreement should describe the services to be provided by the company Services contract, EULA, Privacy Policy, etc. Address privacy. Clearly and conspicuously describe data collection and use practices. Give customers a choice about whether their data is collected and used. Address security standard of care for BOTH parties. Reserve the right to report/notify/make public statements regarding security breaches. Reserve the right to suspend services upon breach.

26 Additional Valuable Contract Terms Limitation of liability. to not exceed amount. excepting certain types of damages. Disclaimer of warranties. Jurisdiction. Statutes of Limitation. Alternative Dispute Resolution. Insurance coverage requirements.

27 Employment Agreements Commitment that employee with comply with company s security policy. Require protection of confidential, proprietary and other sensitive information. Address ownership of proprietary information. Communication with employees beyond the documents is important. Hiring and exit procedures. Employee training.

28 Because Breaches of Security Happen... Develop procedures to stop the breach and remediate damaged functionality. Identify legal requirements relating reporting/notification in the event of a security breach. Draft a written computer incident response/data breach policy, and be prepared to mitigate an incident. Monitor and be prepared to respond to breaches. Regularly evaluate the above.

29 General Rules for Cybersecurity Be proactive rather than just reactive. Maintain reasonable procedures to protect sensitive information and comply with applicable law. Do not misrepresent your practices.

30 Questions? Jennifer Puplava (616) Disclaimer: This presentation is to assist in a general understanding of some of the legal issues involved, and is not intended as legal advice. Persons with particular questions should seek the advice of counsel.