IIA ISACA Bermuda Legal Considerations of Cyber Security ... · Legal Considerations of Cyber Security For ... formally assess their unique legal and compliance circumstances. 4

IIA/ISACA Bermuda 2014 Annual ConferenceCyber Security

Legal Considerations of Cyber Security ForBermuda Based Organizations

KPMG BermudaCrown HousePar-la-Ville RoadHamilton, BermudaOctober 3rd, 2014

Presented By:Duncan C. Card, B.A., LL.B., LL.M., ICD.D

Managing PrincipalBennett Jones (Bermuda) Ltd.

Duncan Card: www.bennettjones.com

1. Cyber Security: is only one subset of IT security.

2. Cyber Security: a profound matter of corporate governance.

3. Undertaking A Cyber/IT Security Legal Assessment: Each company must formally assess their unique legal and compliance circumstances.

4. Overall Compliance Framework: Categories of Potential Legal requirements, duties and obligations.

Overview of Presentation

2


• despite the sensational incidents• despite the additional terminology• despite the "cyberfication" of risk

Cyber security is merely one aspect of a company's legal requirements, duties and obligations concerning all IT security.

There is very little new law that addresses "cyber security" per se.

The serious nature of cyber security threats have merely created a risk context in which companies must examine those IT security legal requirements, duties and obligations.

I. Cyber Security: A Subset of IT Security

3


Therefore: the same business and legal considerations for IT security apply to Cyber Security risks

• protection of company's confidential information • protection of company's intellectual property• comply with company's third party confidentiality obligations• "Trade Association" or professional duties: CICA, TSX, Law Society, NYSE, etc.• data protection – regulatory and third parties • corporate governance duties of prudent management • regulatory obligations for secure corporate records• common law duty of care in many situations (even "equitable duty")• integrity and reliability of information as evidence • business management requirements for accurate data• record security for financial audit purposes• statutory standards of care and incident reporting• insurance coverage requirements


4


There are a few differences that are unique to the Cyber Security subset of IT Security risks:• the scope of impact can be enormous across all business operations• some enterprises may be the target of cyber warfare or terrorism: e.g.

financial, government, infrastructure, consumer• the scope of those affected and size of damages can be enormous, hence

the risk of class actions• most IT security risks are internal and inherent, whereas cyber security

risks are external and perpetrated by others against your company


5


Corporate Governance is both the starting point for understanding what a company's potential legal duties are, and it is the first category of legal duty.

Cyber Security & Corporate Governance: The Perfect Storm

• increasing regulatory governance scrutiny• increasing shareholder activism• increasing consumer awareness and concern• increasing number of class actions• increased demand for privacy/data protection• increasing number of direct cyber attacks• increasing number of perpetrator categories

II. Cyber Security & Corporate Governance

6


The fundamental corporate governance obligations of a company (Board of Directors and executive officers) for cyber security are:

1. To be informed about cyber security threats and the unique and specific risks they pose to the company in every respect.

2. To understand what the company's unique legal, contractual, regulatory and compliance obligations are for security, protection and response to cyber incidents, and to ensure adequate performance measures are in place.

3. To act reasonably and prudently to ensure the company is commercially, operationally, technically, financially, and reputationally prepared and ready for such risks and management challenges (prevention, mitigation, and in response).

II. Cyber Security & Corporate Governance

7


• Each company has highly unique legal, regulatory, contractual, or other compliance requirements, duties and obligations.

• The unique industrial (sectorial), financial, commercial, technological, reputational, and regulatory circumstances of each company will create very different issues of legal concern in the face of a cyber security threat or incident.

• Each company has a unique "cyber security legal profile" that must first be assessed and formulated with the assistance of the company's IT legal, risk and compliance advisors.

III. Undertaking A Cyber/IT Security Legal Assessment

8


Each company's unique "cyber security legal profile" may depend upon many variables, including the following:

• origination of company/customer data, and what is the jurisdictional reach of those sources

• is the company private or publicly traded, under what exchanges and under which regulatory authorities does it operate

• is it an "infrastructure enterprise"

• does it have any governmental or "public policy" obligations (contract or otherwise)

• how is it regulated, and in what jurisdictions

• is it a B2B enterprise, or is it a B2C enterprise

• how litigious is its industry

• does it or any affiliate pay income taxes in any jurisdiction

• does it have its financial statements audited

• what third party security/confidentiality obligations exist

III. Undertaking A Cyber/IT Security Legal Assessment

9


Cyber Security standards of care and quality assurance duties, as well as related risks associated with cyber incidents, can affect any (or all) of the following legal requirements, duties and obligations:

1. Evidence: electronic records must satisfy tests for admissibility related to reliability, completeness, accuracy and that they are "true" and have not been tampered with or altered by third parties.

2. Fiduciary Relationships: partnerships, agency, trusts or other fiduciary duties will create very onerous duties of care to protect the security of information, including from cyber incidents.

3. Third Party Obligations: any contracts that contain duties of data protection, IT standards of care, or confidentiality (even Non‐Disclosure Agreements) all have potential legal implications for a cyber incident if those duties of care are breached; any government contracts (security requirements).

IV. Overall Compliance Framework: Categories of Potential Legal Requirements, Duties & Obligations

10


4. Industry Regulations: broad sectors of regulation now routinely include IT security obligations; some with cyber references; general duties of record maintenance and security; quality of records produced; some with electronic data security and protection (disaster recovery, reasonable standards of care)

5. Ex Juris Issues: in what other jurisdictions do you carry on business or are otherwise subject to such jurisdiction's data protection, privacy, records integrity, and IT standards laws; do you have consolidated financials?; licensed to do business; is there shared IT service arrangement with affiliates; any IT/data outsourcing?


11

• telecommunications • hospitals • banking• financial • infrastructure • insurance


6. Data Protection Laws: where is your customer data from?; are you a safe harbour for EU purposes?; some medical information about personally identifiable individuals will be subject to protection with extra‐territorial effect; same with "Privacy" legislation.

7. Accounting Standards & Audits: if your company has its financial records audited in Bermuda, then either international or CICA standards compel your company to adhere to a vast body of IT (and cyber) security standards, methodology and systems activities; failure to comply could have a very broad range of audit and legal implications.

8. Insurance Coverage: commercial risk management requires contractual compliance with policy terms, including prompt cyber incident notification.

[Note: Every "Cyber Risk" insurance policy I have seen is horribly written, with incorrect terminology, and with mistaken descriptions of the risks they propose to ensure for –without any of the relevant risk minimization duties.]


12


9. Private vs. Public Company: which regulators (SEC, OSC, other), and where; which stock exchange membership/listing agreements; look for: (1) records integrity requirements; (2) IT security standards; (3) duty to report material changes; (4) duty to report cyber incidents (e.g. SEC).

10. Corporate Governance: failure to address cyber risk at the Board and C‐suite levels may: (1) have regulatory implications; (2) have insurance coverage implications; (3) could lead to shareholder actions; (4) could lead to class actions against the company that includedirectors/officers.


13


1. What are the potential legal risks and liabilities for cyber attack?

2. How to avoid or mitigate cyber attack legal risks?

Epilogue

14


I. Potential Legal Risks

1. Regulatory action against Director/officers for breach of statutory/regulatory duty of care or acts/omissions.

2. Loss of corporate/commercial license, permit, authority or consent.

3. Corporate fines, penalties, and reputational risk: e.g. failure to notify SEC of cyber incident.

4. Shareholder legal action – (derivative action) to compel conduct or for damages caused by a failure to perform statutory, regulatory, common law or contractual duties.

5. Class action – consumer or stakeholder class is damaged due to cyber breach; tort (negligence), breach of contract, or breach of statutory duty of care.

6. Loss of intellectual property – once the IP is public , you may not be able to legally control or protect that IP; trade secrets and loss of competitive advantage.

Epilogue

15


I. Potential Legal Risks

7. Third party law suits – breach of, duty to protect confidential information; damage claim.

8. Reputational risks: brand; public confidence; government relations; "activist" groups target the company

9. Contaminated data (corrupted, cannot prove integrity)

= government records are non‐compliant (e.g. Tax, customs)

= cannot introduce records as evidence

= cannot secure "clean" audits

= cannot assess business or commercial status

= cannot give reps/warranties related to corporate records/company information (prospectus, commercial alliances, loans, etc.)

10. Trade Association and/or Professional Bodies: may take quasi‐regulatory action for breach of a professional or "trade" standard of care, e.g. NYSE, or Law Society

Epilogue

16


II. Avoid or Mitigate Cyber Legal Risks

1. Prudent & Diligent Corporate Governance:

• be informed• assess unique legal duties• formulate legal action plan• "business judgement rule" advice of professional experts• oversight and governance: policies, procedures, training and testing

2. Professional Standard of Care:

• prudent due diligence on risks (including seminars)• industry norms and trade custom compliance• technical and non‐technical actions – implement & test• perform executive duties with care, prudence and professionalism• ethical hacking is now standard

3. HR Risk: a significant part of your IT/Cyber risk is from the inside:

• Train employees well about nefarious techniques to "get in"

Epilogue

17



• make cyber security part of all culture (seminars, lawyer presentations ) to scare them; put it in their contracts, regular audits like ethical hacking at personnel level

• EAP is essential – the NSA's #1 cyber security measure is screening and EAP services

4. Unplug: assess what data actually needs to be "Internet accessible"; what data can be kept away from online access; corporations are moving to LANs, WANs and dedicated networks that are not web enabled; what are the business reasons for data being web‐accessible?

5. Security Tiers: logical segregation into levels of security protection rigour; rationalize which data breach has the highest risk for the company and move it into higher, less accessible, regions.

6. Disaster Recover: redundancy; fail‐safe systems to switch to; contingency planning for data and records reconstruction if not parallel live systems.

Epilogue

18



7. Audit "Supply Chain Integrity": where has your hardware/IT equipment been made and what is the risk of embedded malware?; supply chain/procurement contract risk, liability and indemnity provisions; e.g. Huawei vs. Hewlett Packard

8. Third Party Systems: (1) due diligence on technical control/protection; (2) risk allocation in contracts; (3) third party ethical hacking; and ensure "governance culture" across the access community

Action Plan: In the event of a cyber incident, does your company have a SWAT action plan in place (ready to go) that addresses legal, as well as technical, actions that are needed? Your legal advisors must vette that action plan.

See: Card, D. "Cyber‐Security Corporate Governance: Three Essential Steps To Form A Cyber‐Security SWAT Team", May 2014, Bennett Jones Publication.

Epilogue

19


Legal Considerations Of Cyber Security For Bermuda Based Organization

THANK YOU!

Contact Information:

Bennett Jones (Bermuda) Ltd.Hamilton House, [email protected]

Presented by:

Duncan Card, Managing Principal, Bennett Jones (Bermuda) Ltd.

Author of, Information Technology Transactions: Business, Management and Legal Strategies, Carswell Publishing, Toronto 2nd Ed. (312 pages, hardcover) available at www.carswell.com.

20

Documents

IIA ISACA Bermuda Legal Considerations of Cyber Security ... · Legal Considerations of Cyber Security For ... formally assess their unique legal and compliance circumstances. 4