Legal Issues Surrounding the Internet of Things and Other Emerging Technology

Similar documents
Cyber Risks in the Boardroom Conference

Cybersecurity Auditing in an Unsecure World

Cyber Insurance: What is your bank doing to manage risk? presented by

Cyber Risk and Third Party Risk Management. Lisa Murphy First Horizon National Corporation

Medical Device Cybersecurity: FDA Perspective

European Union Agency for Network and Information Security

2018 Data Security Incident Response Report Building Cyber Resilience: Compromise Response Intelligence in Action

CYBER SECURITY AND MITIGATING RISKS

The Evolving Threat to Corporate Cyber & Data Security

GDPR: A QUICK OVERVIEW

Internet of Things Toolkit for Small and Medium Businesses

Cybersecurity and Hospitals: A Board Perspective

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

MOBILE.NET PRIVACY POLICY

Disruptive Technologies Legal and Regulatory Aspects. 16 May 2017 Investment Summit - Swiss Gobal Enterprise

cybersecurity in Europe Rossella Mattioli Secure Infrastructures and Services

Connected Medical Devices

CERT Symposium: Cyber Security Incident Management for Health Information Exchanges

June 2 nd, 2016 Security Awareness

2017 RIMS CYBER SURVEY

GRANDSTREAM PRIVACY STATEMENT

HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp

Technology Roadmap for Managed IT and Security. Michael Kirby II, Scott Yoshimura 04/12/2017

Healthcare HIPAA and Cybersecurity Update

Technology Roadmap for Managed IT and Security. Michael Kirby II, Scott Yoshimura 05/24/2017

DATA PROTECTION BY DESIGN

GDPR: The Day After. Pierre-Luc REFALO

Cyber Security. February 13, 2018 (webinar) February 15, 2018 (in-person)

Internet of Things. Internet of Everything. Presented By: Louis McNeil Tom Costin

Understanding Cyber Insurance & Regulatory Drivers for Business Continuity

Effective Strategies for Managing Cybersecurity Risks

Business continuity management and cyber resiliency

Ensuring Privacy and Security of Health Information Exchange in Pennsylvania

IEEE-SA Internet of Things - Security & Standards

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

Executive Insights. Protecting data, securing systems

Institute of Internal Auditors 2018 IIA CHICAGO CHAPTER JOIN NTAC:4UC-11

The NIS Directive and Cybersecurity in

University of Pittsburgh Security Assessment Questionnaire (v1.7)

ANATOMY OF A DATA BREACH: DEVELOPMENTS IN DATA SECURITY AND CLOUD COMPUTING LAW

UPDATE: HEALTHCARE CYBERSECURITY & INCIDENT RESPONSE Lindsay M. Johnson, Esq. Partner, Freund, Freeze & Arnold, LPA

PRIVACY STATEMENT +41 (0) Rue du Rhone , Martigny, Switzerland.

Developing Issues in Breach Notification and Privacy Regulations: Risk Managers Are you having the right conversation with the C Suite?

IoT Security & Privacy Trust Framework v2.5

Stephanie Zierten Associate Counsel Federal Reserve Bank of Boston

The Data Breach: How to Stay Defensible Before, During & After the Incident

Presented by Ingrid Fredeen and Pamela Passman. Copyright 2017NAVEXGlobal,Inc. AllRightsReserved. Page 0

Tangible Measures to Prepare for Intensified Regulatory Oversight of Cybersecurity in 2016

Auditing and Monitoring for HIPAA Compliance. HCCA COMPLIANCE INSTITUTE 2003 April, Presented by: Suzie Draper Sheryl Vacca, CHC

Jeff Wilbur VP Marketing Iconix

The HIPAA Omnibus Rule

cybersecurity in Europe Rossella Mattioli Secure Infrastructures and Services

What is the website's privacy policy?

Defensible and Beyond

Managing Cybersecurity Risk

Cybersecurity. Overview. Define Cyber Security Importance of Cyber Security 2017 Cyber Trends Top 10 Cyber Security Controls

MEDICAL DEVICE CYBERSECURITY: FDA APPROACH

CYBER RISK MANAGEMENT

Website Privacy Policy

Privacy Policy Effective May 25 th 2018

Emergency Nurses Association Privacy Policy

Cyber Security in Smart Commercial Buildings 2017 to 2021

Security and Privacy-Aware Cyber-Physical Systems: Legal Considerations. Christopher S. Yoo University of Pennsylvania July 12, 2018

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

ADMA Briefing Summary March

T11: Incident Response Clinic Kieran Norton, Deloitte & Touche

Plan a Pragmatic Approach to the new EU Data Privacy Regulation

Electronic Communication of Personal Health Information

Protect Your Organization from Cyber Attacks

Hot Topics in Privacy

Hot Topics in Privacy

milestoned LLP Privacy Policy p. 1 Privacy Policy

Mastering Data Privacy, Social Media, & Cyber Law

Sword vs. Shield: Using Forensics Pre-Breach in a GDPR World. September 20, 2017

716 West Ave Austin, TX USA

New Guidance on Privacy Controls for the Federal Government

Cyber Insurance PROPOSAL FORM. ITOO is an Authorised Financial Services Provider. FSP No

Privacy Statement. Your privacy and trust are important to us and this Privacy Statement ( Statement ) provides important information

Cybersecurity Conference Presentation North Bay Business Journal. September 27, 2016

Cybersecurity The Evolving Landscape

2017 Cyber Incident & Breach Readiness Webinar Will Start Shortly

Altitude Software. Data Protection Heading 2018

Data Breach Preparation and Response. April 21, 2017

Caribbean Cyber Security: Not Only Government s Responsibility

Supply Chain (In)Security

Mobile Application Privacy Policy

Accelerate GDPR compliance with the Microsoft Cloud

POSTMARKET MANAGEMENT OF CYBERSECURITY IN MEDICAL DEVICES FINAL GUIDANCE MARCH 29, TH ANNUAL MEDICAL DEVICE QUALITY CONGRESS

Avanade s Approach to Client Data Protection

Cyber Risk and Networked Medical Devices

ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)

Tackling Cybersecurity with Data Analytics. Identifying and combatting cyber fraud

What It Takes to be a CISO in 2017

In Accountable IoT We Trust

Big data privacy in Australia

It s still very important that you take some steps to help keep up security when you re online:

Engaging Executives and Boards in Cybersecurity Session 303, Feb 20, 2017 Sanjeev Sah, CISO, Texas Children s Hospital Jimmy Joseph, Senior Manager,

General Data Protection Regulation (GDPR) The impact of doing business in Asia

Mission: Continuity BUILDING RESILIENCE AGAINST UNPLANNED SERVICE INTERRUPTIONS

Insider Threat Detection Including review of 2017 SolarWinds Federal Cybersecurity Survey

Transcription:

Legal Issues Surrounding the Internet of Things and Other Emerging Technology ACC Houston Chapter Meeting September 12, 2017 Jonathan Ishee Vorys Sater Seymour and Pease, LLP Dean Fisher RigNet

Overview Internet of Things ( IOT ) What is IOT Privacy and Security Concerns Mitigation Strategies Other Emerging Technology Blockchain Questions

What is IOT Internet of Things revolves around increased machine-to-machine communication; it s built on cloud computing and networks of data-gathering sensors; it s mobile, virtual, and instantaneous connection.* In a general sense connecting any device with an on and off switch to the Internet (and/or to each other).* Most people think of consumer appliances that are smart *A Simple Explanation Of 'The Internet Of Things Forbes, May 13, 2014

What is IOT Why Should I Care?

What is IOT Why Should I Care? Increased Use of Sensors for Data Collection Data Analytics Network Connectivity for Software/ Equipment Updates Increase Use of Cloud Based Storage Connectivity Without Incorporating Privacy or Security Patchwork of Regulatory Oversight

Privacy and Security Concerns Hackers target DOT road signs in Charlotte with vulgar messages, Jul 17, 2017

Privacy and Security Concerns (cont d) 465,000 Pacemakers Recalled on Hacking Fears, ABC Radio September 3, 2017 Was Russian hacking of Ukraine's power grid a test run for U.S. attack? CBS News June 23, 2017

Privacy and Security Concerns (cont d) Wellness Apps Evade the FDA, Only to Land in Court, Wired April 03, 2017

ISSUES RAISED BY INCREASED PRIVACY RISK Ensuring users have sufficient control, as they often cannot review the data before its collection or publication Automatic or default communication without the user being aware. The difficulty of controlling the flow of data in these situations Lack of awareness by individuals of a device s enhanced capabilities, and the quality of their consent

ISSUES RAISED BY INCREASED PRIVACY RISK Insufficiency of classical consent mechanisms and the need for new methods of consent Risk of stakeholders using the data beyond the original specified purposes, particularly with the rise of Artificial Intelligence applications IoT s ability to determine habits, behaviors and daily activities of individuals

ISSUES RAISED BY INCREASED PRIVACY RISK Limits on the ability to remain anonymous while using IoT devices or services Vulnerability of devices to re-identification attacks where users can be identified by unauthorized users Risk of turning everyday object into a privacy and security target Battle between battery efficiency and the security of communications resulting in a lack of encrypted data flows

LAW AND REGULATIONS ALWAYS LAGS BEHIND TECHNOLOGY No uniform regulatory approach, so providers of IoT devices will have to comply with differing regulations in each state, province, or country. However: Senators Mark Warner (D-VA) and Cory Garner (R-CO), cochairs of the Senate Cybersecurity Caucus, introduced legislation last month under The Internet of Things Cybersecurity Improvement Act of 2017 (S. 1691) to require all devices purchased by the U.S. Government to meet certain minimum requirements.

Mitigation Strategies Risk Assessments Contractual Agreements with Outside Vendors Cyber Liability Insurance

Mitigation Strategies Risk Assessments Testing of Product Before Implementation Exercise Should Include Assessments of the Following Strategic Risks Tactical Risks Security Risks Information Technology Human Engineering Safety Risks

Risk Assessments Strategic and Tactical Risk

Risk Assessments Security and Safety

Mitigation Strategies Contractual Agreements Sample Language in Purchase Agreements: Product does not contain components with any known security vulnerabilities or defects listed in the National Institute of Standards and Technology s ( NIST ) National Vulnerability Database or a similar database identified by the purchaser; Include components that are capable of receiving properly authenticated and trusted patches from vendors; Utilize industry-standard technology and components for communication, encryption, and interconnection with peripherals; and Do not include fixed or hard-coded passwords to receive updates or enable remote access.

Mitigation Strategies Contractual Agreements (cont d) A requirement to notify the purchaser of any known security vulnerabilities or defects subsequently disclosed to the vendor by a security researcher or when a vendor becomes aware of such a vulnerability during the term of the Agreement. Update, replace, or remove, in a timely manner, vulnerabilities in software and firmware components in a properly authenticated and secure manner. This includes a requirement to provide information to the purchaser regarding the manner for such updates, as well as a timeline and formal notice when ending security support.

Contracting Recommendations- Industry Perspective Consents and Opt Outs. Insist on Data Minimization and Deidentification. Health Care Data an example of where special care is needed for areas of sensitive data Location Data. Limit device fingerprinting by disabling wireless devices when not in use or using random identifiers to prevent a persistent identifier being used for location tracking.

Contracting- Industry Perspective Transparency and Fair Processing. Disclosing the purposes for processing information from the individual. Security. Many devices lack encryption because of device design and cost control. Insist on encryption and immediate notification of any security vulnerability. Standardization and data portability. Restrict sharing of your data without your consent.

Contracting- Industry Perspective Most of us are risk managers when it comes to contracting. An IoT agreement brings increased risks to data privacy and security. Involve your security people to evaluate any new network devices that may have access to your systems. Foster a culture of security, adopt a defense-indepth approach that incorporates security measures at several levels.

Contracting- Industry Perspective Train your people about network security issues, phishing scams, etc. as people are the weakest link in any security system. Rotate your passwords frequently. Take a risk-based approach use greater security protocols where your more sensitive data is at risk. Ask about your Provider s plans to address a security flaw or breach.

Mitigation Strategies Cyber Insurance Generally Two Types Cyber Liability Insurance Technology Errors and Omissions Cost Varies Greatly Based on Industry and Insurer s Underwriting Experience Important to Know What is Covered and What is Not

Mitigation Strategies Cyber Liability Insurance Covers Breaches of Sensitive Customer Information and Associated Costs Credit Reporting Notification Costs Penalties imposed by state regulators Note: Does not cover property loss sustained by the business

Mitigation Strategies Technology E&O Coverage Covers Providers of Technology Services or Products Liability and property loss coverage

OTHER EMERGING TECHNOLOGY BLOCKCHAIN

Blockchain What is It? A Shared Ledger Technology Allowing Participants in the Network to View the Record Components Participants Ledger Smart Contract

Blockchain What is It? (cont d) Historically Used in Digital Currency

Example of Blockchain Ledger

Blockchain Benefits Benefits Every Transaction becomes part of the record and can be reviewed by individuals with the appropriate permissions Relevant information can be shared with others based on role based access Distributed ledgers are shared and updated in real-time across a group of participants

Blockchain is Not A Messaging Solution Suited for transactions Involving One Participant For High Value or Milestone Transactions A Place to Store Confidential Information

Blockchain Non Financial Use Cases Health Information/Data Exchange Supply Chain Provenance and Traceability Payment/Claims Processing Situations in which there is a third party payor Food Safety

Blockchain Use Case Food Safety More than 1,000 foodborne outbreaks investigated by state and local health departments are reported each year, according to the CDC Roughly 48 million people are afflicted annually, with 128,000 hospitalized and 3,000 dying.

Blockchain Use Case Fact Pattern You are a grocery store that has just been informed that a pork product that you sell has been recalled due to contamination issues at a particular plant with a particular batch. What Do You Do?

Blockchain Use Case Food Safety

Questions Please Contact: Jonathan Ishee, JD, MPH, MS, LLM jishee@vorys.com 713-588-7037

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback