Protecting Your Business: Best Practices for Implementing a Legally Compliant Cybersecurity Program Trivalent Solutions Expo June 19, 2014

Similar documents
Cyber Risks in the Boardroom Conference

Data Privacy and Cybersecurity

U.S. Private-sector Privacy Certification

Keeping It Under Wraps: Personally Identifiable Information (PII)

Cyber Attacks and Data Breaches: A Legal and Business Survival Guide

Cybersecurity in Higher Ed

Data Security: Public Contracts and the Cloud

The Impact of Cybersecurity, Data Privacy and Social Media

DeMystifying Data Breaches and Information Security Compliance

Integrating Information Security Protections In Supplier Agreements: Guidance for Business and Technology Counsel

Developing Issues in Breach Notification and Privacy Regulations: Risk Managers Are you having the right conversation with the C Suite?

Cyber Security in M&A. Joshua Stone, CIA, CFE, CISA

Hacking and Cyber Espionage

Legal, Ethical, and Professional Issues in Information Security

Automotive Privacy. A discussion of privacy and security legal compliance for the automotive industry

Legal Considerations and Case Studies

What To Do When Your Data Winds Up Where It Shouldn t

Why you MUST protect your customer data

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

encrypted, and that all portable devices (laptops, phones, thumb drives, etc.) be encrypted while in use and while at rest?

Data Compromise Notice Procedure Summary and Guide

Gramm Leach Bliley Act 15 U.S.C GLBA/HIPAA Information Security Program Committee GLBA, Safeguards Rule Training, Rev.

GLBA, information security and incident response a compliance perspective

A Checklist for Cybersecurity and Data Privacy Diligence in TMT Transactions

Cybersecurity Conference Presentation North Bay Business Journal. September 27, 2016

An Overview of the Gramm-Leach-Bliley (GLB) Act and the Safeguards Rule

University of Pittsburgh Security Assessment Questionnaire (v1.7)

How to implement NIST Cybersecurity Framework using ISO WHITE PAPER. Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved.

Privacy Statement. Your privacy and trust are important to us and this Privacy Statement ( Statement ) provides important information

Data Security Standards

Security Awareness Compliance Requirements. Updated: 11 October, 2017

VERSION 1.3 MAY 1, 2018 SNOWFLY PRIVACY POLICY SNOWFLY PERFORMANCE INC. P.O. BOX 95254, SOUTH JORDAN, UT

Top Five Privacy and Data Security Issues for Nonprofit Organizations

LCU Privacy Breach Response Plan

NYDFS Cybersecurity Regulations: What do they mean? What is their impact?

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

CRIMINAL NETWORK INTRUSION AND DATA THEFT: Today s Security Landscape and What to Do If You ve Been Compromised

HIMSS 15 Doing Better Business in the Era of Data Security and Privacy

I GOT ROBBED! HOW NYS AND THE US SHOULD PROTECT YOUR DATA ONLINE

Cybersecurity A Regulatory Perspective Sara Nielsen IT Manager Federal Reserve Bank of Kansas City

SEC Issues Updated Guidance on Cybersecurity Disclosure

Managing Privacy Risk & Compliance in Financial Services. Brett Hamilton Advisory Solutions Consultant ServiceNow

All 3 Billion Yahoo Accounts Were Affected by 2013 Attack NY Times 10/3/17

NCSF Foundation Certification

SYSTEM SECURITY PLAN (SSP) [Official Company Name]

Post-Secondary Institution Data-Security Overview and Requirements

Playing in the Big (Data) Leagues: Consumer Data Mining Data Privacy and Compliance

01.0 Policy Responsibilities and Oversight

ADIENT VENDOR SECURITY STANDARD

Information Security Risk Strategies. By

Department of Veterans Affairs VA DIRECTIVE April 17, 2006 WEB PAGE PRIVACY POLICY

Certified Information Privacy Professional/United States

Secure Messaging Mobile App Privacy Policy. Privacy Policy Highlights

20/09/2013. Global Privacy and Data Protection: Practical Risk Assessment and Governance. Topics

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

Sage Data Security Services Directory

Overview Bank IT examination perspective Background information Elements of a sound plan Customer notifications

2017 RIMS CYBER SURVEY

Brian S. Dennis Director Cyber Security Center for Small Business Kansas Small Business Development Center

PRIVACY POLICY VANTAGE HOMES

Baseline Information Security and Privacy Requirements for Suppliers

What to do if your business is the victim of a data or security breach?

How Cybersecurity Initiatives May Impact Operators. Ross A. Buntrock, Partner

The Honest Advantage

Regulation P & GLBA Training

Elements of a Swift (and Effective) Response to a HIPAA Security Breach

Data Inventory and Classification, Physical Devices and Systems ID.AM-1, Software Platforms and Applications ID.AM-2 Inventory

Cybersecurity and Nonprofit

Why you should adopt the NIST Cybersecurity Framework

DATA BREACH NUTS AND BOLTS

Choosing the Right Cybersecurity Assessment Tool Michelle Misko, TraceSecurity Product Specialist

Presented by Ingrid Fredeen and Pamela Passman. Copyright 2017NAVEXGlobal,Inc. AllRightsReserved. Page 0

Security Breaches: How to Prepare and Respond

Information Security Strategy

Subject: Kier Group plc Data Protection Policy

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

U.S. Corporate Privacy Certification

Credit Card Data Compromise: Incident Response Plan

DETAILED POLICY STATEMENT

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

Enterprise SM VOLUME 1, SECTION 5.7: SECURE MANAGED SERVICE

PROFESSIONAL SERVICES (Solution Brief)

Managing Cybersecurity Risk

Mobile Device policy Frequently Asked Questions April 2016

Member of the County or municipal emergency management organization

Controlled Document Page 1 of 6. Effective Date: 6/19/13. Approved by: CAB/F. Approved on: 6/19/13. Version Supersedes:

STATEMENT SECURITIES INDUSTRY AND FINANCIAL MARKETS ASSOCIATION ( SIFMA ) BEFORE THE

HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp

Management guide for fighting cyber predators

Data Breach Trends: What Local Government Lawyers Need to Know

Beam Technologies Inc. Privacy Policy

Welcome to the CyberSecure My Business Webinar Series We will begin promptly at 2pm EDT All speakers will be muted until that time

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

SEC Key Considerations for Public Companies for Mitigating and Disclosing Cybersecurity Risks

Putting It All Together:

What It Takes to be a CISO in 2017

The Evolving Threat to Corporate Cyber & Data Security

CCISO Blueprint v1. EC-Council

Checklist: Credit Union Information Security and Privacy Policies

Protecting vital data with NIST Framework

Transcription:

Protecting Your Business: Best Practices for Implementing a Legally Compliant Cybersecurity Program Trivalent Solutions Expo June 19, 2014 2014, Mika Meyers Beckett & Jones PLC All Rights Reserved Presented by: Jennifer A. Puplava Mika Meyers Beckett & Jones PLC 900 Monroe Avenue NW Grand Rapids, MI 49503 (616) 632-8000 jpuplava@mmbjlaw.com www.mmbjlaw.com

Why Worry About Cybersecurity? Internet crime is increasing in frequency and severity. Daily business is increasingly being conducted via the internet. Companies want to take advantage of new technologies. Many fail to acknowledge, recognize, or keep pace with escalating cybersecurity risks.

Key Cybersecurity Worries Mobility. Cybercrime and cyber warfare. Social attacks. Attacks on PC, server and cloud. Big Data. Cross-border concerns. Uneducated use of technology.

Source of Threats Outsiders Hackers (looking for financial gain). Hacktivits (on ideological missions). Terrorists/organized crime. Competitors. Government.

Source of Threats Insiders Current/former employees. Current/former service providers, consultants, contractors. Suppliers/customers. Business partners. Information brokers. Different motivations: Disgruntled. Careless. Uneducated.

Range of Harms from Cybersecurity Breach Potential harm to business, consumers and the public. Loss of Integrity. Identity theft. Tainted data. Affected operations. Loss of Access/Availability. Loss of Confidence. Disclosure of Confidential Information. Compromised customer, user or employee records. Compromised trade secrets or other proprietary information. Third party liability. Regulatory action/enforcement.

Benefits of a Good Cybersecurity Program Protected data. Increased efficiency of operations and financial control. Minimize risk of damage caused by cybersecurity breach. Minimize risk of third party/regulatory action relating to cybersecurity breach. Protected reputation.

Cybersecurity Standards Cybersecurity regulations and laws are a moving target. Currently there is a patchwork quilt of federal and state laws addressing cybersecurity, but no broad federal cybersecurity legislation. It can be easy to get lost among the many standards purporting to govern cybersecurity.

Cybersecurity Standards Federal Laws Examples of Industry/Business-Specific Security Laws requiring protection of systems and information. Financial institutions (Financial Services Modernization Act of 1999, Gramm-Leach Bliley Act, Federal Financial Institutions Examination Council standards). Healthcare providers (HIPAA, HITECH). Federal agencies, or those who provide services on their behalf (Federal Information Security Management Act, Homeland Security Act). Family Educational Rights and Privacy Act (FERPA). Payment Card Industry Data Security Standards (PCI-DSS). SEC reporting requirements.

Cybersecurity Standards State Laws Trade secrets (e.g. Michigan Uniform Trade Secret Act) require reasonable security measures be taken. Social Security Number Privacy Act (in Michigan and other states). Data Breach Notification (e.g. Michigan Identity Theft Protection Act). Freedom of Information Act. Some state laws (e.g. California) require that businesses maintain a reasonable level of security.

Cybersecurity Standards International Laws More comprehensive guidance regarding security issues. Legislative development in several countries. European Union directives Data protection. E-privacy. Critical infrastructures. Commission on a Cybersecurity Strategy of the European Union. Commission Proposal for a Directive Concerning Measures to Ensure a High Common Level of Network and Information Security Across the Union.

Other Cybersecurity Standards and Resources Contractual requirements. Information security management system standards published by International Organization for Standardization and International Electrotechnical Commissions (e.g. ISO/IEC 27001-2005 regarding Information security management systems). Information Security Forum Standards of Good Practice. Now available for sale to the general public. Comprehensive list of best practices for information security. Atlantic Council (cybersecurity resources focusing on international and state issues). SANS Institute computer security training programs.

Examples of the Alphabet Soup of Privacy Regulations Electronic Communications Privacy Act (ECPA). Critical Infrastructure Information Act (CIIA). Fair Credit Reporting Act (FCRA). Fair Debt Collection Practices Act (FDCPA). Children s Online Privacy Protection Act (COPPA). Computer Fraud and Abuse Act (CFAA). Telephone Consumer Protection Act (TCPA). The Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM).

Best Guidance To Date: NIST Framework NIST Framework for Improving Critical Infrastructure Cybersecurity. Voluntary set of standards. Good starting point for developing best practices. Aimed at reducing and better managing cybersecurity risks. Could be used as a standard for evaluating reasonableness of an organization s cybersecurity program.

NIST Framework Not a checklist. Contains suggested steps for establishing or improving a cybersecurity program. Offers a common set of activities to anticipate and mitigate against cyber attacks. Users can create a profile to describe their current and desired states. Framework Core includes Functions, Categories, Subcategories, and Informative References.

NIST Framework 2014, Mika Meyers Beckett & Jones PLC All Rights Reserved

NIST Framework Informative References describe specific cybersecurity activities common across critical infrastructure sectors. Draws from a range of standards, guidelines and practices. Illustrates a method to achieve the outcomes associated with each Subcategory. More information regarding the Framework can be found at http://www.nist/gov/cyberframework

Best Practices in Creating a Cybersecurity Program The process of creating a cybersecurity program will be different for each organization no one-size-fits-all approach. Involve all levels of authority in creating a cybersecurity program. IT staff cannot be alone in this effort. Organization should identify its business objectives and priorities.

Best Practices in Creating a Cybersecurity Program Identify and prioritize corporate information assets. Inventory: Where data resides; The type of data collected; Type and location of equipment and devices used; Who can access the data; How and what sensitive information is transmitted to third parties; What information is retained and for how long.

Best Practices in Creating a Cybersecurity Program Assess legal requirements regarding ability to: Collect and retain information from employees, customers, and third parties. Use and share collected information. Secure collected information. Dispose of collected information.

Best Practices in Creating a Cybersecurity Program Evaluate risk of data loss. Identify threats and vulnerabilities to corporate systems and assets. Follow organization s established risk management process. NIST Guide for Conducting Risk Assessments. FTC requires reasonable risk assessment. Evaluation should include assessment of cybersecurity risk of outsourced functions.

Best Practices in Creating a Cybersecurity Program Reacting to problems Identify gaps in protection or legal compliance. Create an action plan to address the gaps.

Best Practices in Creating a Cybersecurity Program Acting proactively Draft a security policy/plan. Address cybersecurity in vendor agreements. Consider cyber-insurance coverage. Accurately describe information sharing in customer Terms of Service and Privacy Policies. Implement technical, administrative, and physical controls using cost/benefit analysis. Train employees, and develop procedures for newly hired and exiting employees.

Contractual Approaches to Minimizing Liability Vendor Contracts: Agreement should describe the services to be provided by the vendor, and address the following: Requirements regarding use, disclosure, storage, protection and disposal/return of confidential, sensitive, and protected information. Clarify ownership of data and information. Responsibility for compliance with applicable laws and regulatory requirements. Reporting/notification obligations in the event of a breach, and who pays the cost of the breach. Right to direct, participate in, or receive updates regarding breaches. Indemnification, and other provisions addressing liability for damages caused by security breaches. Use of subcontractors. Vendor s business continuity/disaster recovery plans. Service levels.

Contractual Approaches to Minimizing Liability Customer Contracts: Agreement should describe the services to be provided by the company Services contract, EULA, Privacy Policy, etc. Address privacy. Clearly and conspicuously describe data collection and use practices. Give customers a choice about whether their data is collected and used. Address security standard of care for BOTH parties. Reserve the right to report/notify/make public statements regarding security breaches. Reserve the right to suspend services upon breach.

Additional Valuable Contract Terms Limitation of liability. to not exceed amount. excepting certain types of damages. Disclaimer of warranties. Jurisdiction. Statutes of Limitation. Alternative Dispute Resolution. Insurance coverage requirements.

Employment Agreements Commitment that employee with comply with company s security policy. Require protection of confidential, proprietary and other sensitive information. Address ownership of proprietary information. Communication with employees beyond the documents is important. Hiring and exit procedures. Employee training.

Because Breaches of Security Happen... Develop procedures to stop the breach and remediate damaged functionality. Identify legal requirements relating reporting/notification in the event of a security breach. Draft a written computer incident response/data breach policy, and be prepared to mitigate an incident. Monitor and be prepared to respond to breaches. Regularly evaluate the above.

General Rules for Cybersecurity Be proactive rather than just reactive. Maintain reasonable procedures to protect sensitive information and comply with applicable law. Do not misrepresent your practices.

Questions? Jennifer Puplava jpuplava@mmbjlaw.com (616) 632-8050 Disclaimer: This presentation is to assist in a general understanding of some of the legal issues involved, and is not intended as legal advice. Persons with particular questions should seek the advice of counsel.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback