View
0
Download
0
Category
Preview:
Citation preview
Information Security Law Update 2012
Information Security Law Update 2012
David G. Ries, Esq.David G. Ries, Esq.
412-394-7787dries@thorpreed.com
March, 2012
Data GovernanceData Governance
Information SecurityInformation Security
Records & InformationRecords & InformationManagementManagement
PrivacyPrivacy
EE--Discovery / LitigationDiscovery / LitigationHoldsHolds
Information SecurityInformation Security
ProcessProcess
PeoplePeople
Policies & Policies & ProceduresProcedures
TechnologyTechnology
SECURE
Information SecurityInformation Security
ProtectProtect
ConfidentialityConfidentiality
IntegrityIntegrity
AvailabilityAvailability
SECURE
Information SecurityInformation Security
Assign responsibilityAssign responsibility
TrainingTraining
Security awarenessSecurity awareness
SECURE
Current TrendsCurrent Trends
Generally increasing dutiesGenerally increasing duties
High level legal dutiesHigh level legal dutiesbetter defined better defined
Still substantial uncertaintyStill substantial uncertainty
Generally greater potentialGenerally greater potentialfor liabilfor liability
Information Security LawsInformation Security Laws
1.1. Laws protecting Laws protecting computers, networks and computers, networks and communicationscommunications
2.2. Laws requiring safeguardsLaws requiring safeguards
3.3. Other lawsOther laws
Computer Protection LawsComputer Protection Laws
1.1. Computer Fraud and Abuse Computer Fraud and Abuse ActAct
2.2. Electronic Communications Electronic Communications Privacy ActPrivacy Act
3.3. State LawsState Laws
Laws Requiring SafeLaws Requiring Safeguards
Federal Information Security Federal Information Security Management ActManagement Act
Financial Industries Financial Industries Modernization Act Modernization Act (GLB)(GLB)
Health Insurance Portability Health Insurance Portability and Accountability Act and Accountability Act (HIPAA)(HIPAA)
ChildrenChildren’’s Online Privacy s Online Privacy Protection Act Protection Act
Fair Credit Reporting Act Fair Credit Reporting Act (FACTA)(FACTA)
Laws Requiring SaLaws Requiring Safeguards
SarbanesSarbanes--Oxley ActOxley Act
Family Educational Rights and Family Educational Rights and Privacy Act Privacy Act
Federal Trade Commission ActFederal Trade Commission Act
State LawsState Laws
High level legal dutiesHigh level legal duties
Better definedBetter defined
ConsistentConsistent
2. The Emerging Legal 2. The Emerging Legal StandardStandard
Develop, implement andDevelop, implement andmaintainmaintain
A comprehensiveA comprehensiveinformation securityinformation securityprogramprogram
WrittenWritten
Administrative, technical Administrative, technical and physical safeguardsand physical safeguards
Appropriate to:Appropriate to:–– Size and complexitySize and complexity
–– Nature and scope of activitiesNature and scope of activities
–– Sensitivity of informationSensitivity of information
Based on a risk assessmentBased on a risk assessment
Designate responsibilityDesignate responsibility
Training Training
Third partiesThird parties
““ReasonableReasonable”” ““AppropriateAppropriate””
Legal requirementsLegal requirements
Standards and benchmarksStandards and benchmarks
Legal RequiremeLegal Requirements
Federal AgenciesFederal Agencies–– GISRA / FISMAGISRA / FISMA
–– National Institute for Standards National Institute for Standards and Technology (NIST) and Technology (NIST) (U.S. Dept. of Commerce)(U.S. Dept. of Commerce)
–– National Security Agency (NSA)National Security Agency (NSA)
GG--LL--B, HIPAA, COPPA,B, HIPAA, COPPA,state lawsstate laws
Standards / BenchmarksStandards / BenchmarksISO StandardsISO Standards
–– 27002:200527002:2005
–– 27001:200527001:2005
FFIECFFIEC
Center for Internet SecurityCenter for Internet Security
CERTCERT
USUS--CERTCERT
Legal Standards as guides:Legal Standards as guides:(NIST, NSA, OMB)(NIST, NSA, OMB)(G(G--LL--B, HIPAA, COPPA)B, HIPAA, COPPA)
3.3. Data Breaches ContinueData Breaches Continue
High profile consumer dataHigh profile consumer databreachesbreaches
Commercial data /Commercial data /intellectual propertyintellectual property
Data BreachesData Breaches
Steal $Steal $
Steal IPSteal IP
Steal national security infoSteal national security info
HactivismHactivism
Consumer Data Breaches Consumer Data Breaches
20112011
Breaches: 419Breaches: 419
Exposed: 22,918,441Exposed: 22,918,441
20102010
Breaches: 662Breaches: 662
Exposed: 16,167,542Exposed: 16,167,542
High Profile BreachesHigh Profile Breaches
BJs Wholesale ClubsBJs Wholesale Clubs
ChoicePointChoicePoint
DSW Shoe WarehouseDSW Shoe Warehouse
CardSystemsCardSystems
Dept of Veterans AffairsDept of Veterans Affairs
TJXTJX
Hannaford Bros.Hannaford Bros.Heartland Payment Sys.Heartland Payment Sys.
X
Consumer Data Breaches Consumer Data Breaches
Privacy Rights ClearinghousePrivacy Rights Clearinghousewww.privacyrights.org/ar/ChronDataBreaches.htmwww.privacyrights.org/ar/ChronDataBreaches.htm
DataLossDBDataLossDBhttp://datalossdb.org/http://datalossdb.org/
InterhackInterhackUsing Science to Combat Data Loss: Analyzing Using Science to Combat Data Loss: Analyzing Breaches by Type and Industry Breaches by Type and Industry http://web.interhack.com/publications/breachhttp://web.interhack.com/publications/breach--taxonomytaxonomy
Federal Trade CommissionFederal Trade Commission
Dept. of Health and HumanDept. of Health and HumanServicesServices
Securities and ExchangeSecurities and ExchangeCommissionCommission
Financial IndustryFinancial IndustryRegulatory AuthorityRegulatory Authority(independent regulator)(independent regulator)
4. Federal Enforcement 4. Federal Enforcement EscalatesEscalates
FTC EnforcementFTC Enforcement
Violation of laws & Violation of laws & regulationsregulations
Misrepresentations or Misrepresentations or false promisesfalse promises--““Deceptive trade Deceptive trade practicespractices””
““Unfair trade practicesUnfair trade practices””
FTC EnforcementFTC EnforcementLookout ServicesLookout Services
software to keep track of software to keep track of the immigration the immigration requirements of their requirements of their employeesemployees
Employee of customer Employee of customer was able to access info was able to access info about 37,000 personsabout 37,000 persons
Inadequate security Inadequate security ==““unfair trade practicesunfair trade practices””
Mass. V. Briar Group(Mass. Superior)
2009 data breach exposing debit and 2009 data breach exposing debit and credit cardscredit cards
failure to implement basic data security measure
failure to comply with PCI DSSfailure to comply with PCI DSS
$110,000 + corrective measures$110,000 + corrective measures
TJX Companies BJ’s Wholesale ClubDSW Shoe WarehouseOfficeMaxBoston MarketBarnes & Noble Sports AuthorityForever 21Hannaford Brothers7 ElevenHeartland Payment Systems
Once inside the networks, they installed "sniffer" programs that would capture card numbers, as well as password and account information, as they moved through the retailers’ credit and debit processing networks.
Data Breach NoticeData Breach Notice
Credit FreezeCredit Freeze
Reasonable SecurityReasonable Security
EncryptionEncryption
Secure DisposalSecure Disposal
Liability for BreachesLiability for Breaches
5. States Lead in New Laws5. States Lead in New Laws
Data Breach Notice Data Breach Notice -- 46 46
Credit FreezeCredit Freeze -- 4747
Reasonable Security Reasonable Security -- 1010
EncryptionEncryption -- 66
Secure DisposalSecure Disposal -- 2323
Liability for BreachesLiability for Breaches -- 33
SSN ProtectionSSN Protection -- 3434
States Lead in New LawsStates Lead in New Laws
State LawsState Laws Breach notificationBreach notification
–– Cal Database Security Cal Database Security Breach Notification ActBreach Notification Act
–– 46 states46 states
–– PA law PA law 73 P.S. 73 P.S. §§23012301--23292329
–– List of laws:List of laws:http://tinyurl.com/pmyrmbhttp://tinyurl.com/pmyrmb
“Doing Business”
Notice of BreachesNotice of Breaches Information covered Information covered Entities coveredEntities covered Definition of Definition of ““breachbreach”” Who must be notifiedWho must be notified Risk of harmRisk of harm Time of noticeTime of notice Form or method of noticeForm or method of notice ExceptionsExceptions
––Safe HarborSafe Harbor––EncryptionEncryption
““persons who own, license, persons who own, license, store or maintain personal store or maintain personal information about a resident of information about a resident of the Commonwealth of the Commonwealth of MassachusettsMassachusetts””
““shall develop, implement, shall develop, implement, maintain and monitor a maintain and monitor a comprehensive, written comprehensive, written information security programinformation security program””
New Mass. Law New Mass. Law -- M.G.L. c. 93HM.G.L. c. 93H
Office of Consumer Affairs Office of Consumer Affairs and Business Regulationand Business Regulation
––201 CMR 17.00:201 CMR 17.00:Standards for The Protection of Standards for The Protection of Personal Information of Personal Information of Residents of the CommonwealthResidents of the Commonwealth
–– Effective Effective March 1, 2010March 1, 2010– www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdf
New Mass. Law New Mass. Law -- M.G.L. c. 93HM.G.L. c. 93H
The American Recovery andThe American Recovery andReinvestment Act of 2009 Reinvestment Act of 2009
Health InformationHealth InformationTechnology for Economic andTechnology for Economic andClinical Health (HITECH) Act Clinical Health (HITECH) Act –– promote the use of electronic health promote the use of electronic health
records by all hospitals and records by all hospitals and physicians by 2015 physicians by 2015
–– enhanced privacy & securityenhanced privacy & security
6. Economic Stimulus6. Economic Stimulus
HIPAA privacy & securityHIPAA privacy & securityrules extended to businessrules extended to businessassociatesassociates–– Definition of Definition of ““business business
associatesassociates”” expandedexpanded
Breach notice requirement Breach notice requirement
Increased enforcementIncreased enforcementand penalties and penalties
HITECHHITECH
7. Victims Face An 7. Victims Face An Uphill BattleUphill Battle
ConsumersConsumers–– Increased Risk Increased Risk
–– Victims of ID Fraud or ID TheftVictims of ID Fraud or ID Theft
Financial InstitutionsFinancial Institutions
Common LawCommon Law
ContractContract
NegligenceNegligence
Products LiabilityProducts Liability
DirectorsDirectors’’ & Officers& Officers’’LiabilityLiability
LossesLosses
Financial InstitutionsFinancial Institutions
––Unauthorized transactionsUnauthorized transactions
––Closing/replacing accountsClosing/replacing accounts
RetailersRetailers
VictimsVictims
––Identity Theft / FraudIdentity Theft / Fraud
––Data BreachesData Breaches
Consumer CasesConsumer Cases
Negligence barred byNegligence barred byeconomic loss ruleeconomic loss rule
Increased risk ofIncreased risk ofidentity theft isidentity theft isinsufficientinsufficient
In Re Hannaford Bros. In Re Hannaford Bros. Customer Data Customer Data
Security BreachSecurity Breach LitigationLitigation((D. Me.)D. Me.)
(1(1stst Cir.) Cir.)
Patco Construction Co., Inc. v. People’s United Bank
(D. Me.)
Summary judgment on commercial Summary judgment on commercial customercustomer’’s claimss claims
UCC Article 4A claims dismissed UCC Article 4A claims dismissed because bank applied reasonable because bank applied reasonable security measuressecurity measures
No conversion or unjust enrichmentNo conversion or unjust enrichment
Other tort claims preempted by UCCOther tort claims preempted by UCC
Experi-Metal, Inc. v. Comerica Bank
(E.D. Mich.)
Claim by commercial victim of Claim by commercial victim of phishing attack that resulted in phishing attack that resulted in unauthorizedunauthorized wire transfers of more wire transfers of more than $1.9 million than $1.9 million
In a nonjury trial, the court found for In a nonjury trial, the court found for the plaintiff, finding that the bank the plaintiff, finding that the bank violated its duty of good faith under the violated its duty of good faith under the UCC by failing to detect and stop the UCC by failing to detect and stop the
transactions .transactions .
Reasonable andReasonable andappropriate safeguardsappropriate safeguards
Current industry standardsCurrent industry standards
Comply with all applicableComply with all applicablelaws and regulationslaws and regulations
QuestionnaireQuestionnaire
Inspection / auditInspection / audit
Notice of material changesNotice of material changes
8. Contracting for Security8. Contracting for Security
Contracts Requiring SafeguardsContracts Requiring Safeguards
HIPAA, GHIPAA, G--LL--B, etc.B, etc.
Payment Card IndustryPayment Card IndustryData Security StandardData Security Standard(PCI)(PCI)
Outsourcing / CloudOutsourcing / Cloud
Business partnersBusiness partners
Recommended