Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
1
Managing the Legal Risksof Information Security --
Be Prepared orFace the Consequences!
June 13, 2007
Presented by theACC Information Technology & eCommerce Committee
and DLA Piper
Association of Corporate Counselwww.acc.com
Page 2
PanelVincent Sanchez is a partner at DLA Piper and Co-Chair oftheir Technology and Sourcing Practice Group. He focuses hispractice in the areas of complex technology transactionsinvolving life sciences and information sciences, sourcing,eBusiness and technology and information governance.
Karen Boudreau is Senior Legal Counsel at Websense, Inc.where she focuses on technology and employment law mattersKaren is a former Chair of the IT& eCommerce Committee.Prior to Websense, she was an in house counsel for IBM,Oracle, The Gap, Sony and Gateway.
2
Page 3
Overview – Why Do We Care?It’s a Daily Headline Issue–Reputational RiskIncreasing # of Regulations/LegislationKey Component of any Compliance Program(Sarbox, GLBA, HIPPA, Internat’l Regs, etc.)Key Component of Most Contracts WhereInformation ExchangedSignificant Management/Board Issue
Page 4
Overview – Why Do We Care?Increasing number of identity theft cases . . . New victimevery 4.5 seconds!130 reported breaches exposing more than 55 millionAmericansHacking attempts and successes are increasingLack of uniform security standardsLack of “sufficient” corporate standards and policiesgoverning security despite promises or representations to thecontraryVulnerability of critical infrastructure and softwareAlphabet soup of regulations and impractical legislativesolutions
3
Page 5
Framework for Legal ClaimsFTC and State Actions/Consent Decrees
Deceptive and Unfair Practices – Far Reaching
Tort Claims (duty per state statute; fraud; neg.misrep., unfair practices, etc.)Breach of Contract ClaimsShareholder Derivative Suits – Did youmisrepresent in your SEC filings?Violation of Fed/State Licenses/Certifications
Page 6
Compliance ProgramWhat are we protecting?
Customer information
Employee information
Competitive Business Information
Financial Information
Third Party Information
Physical vs Digital
4
Page 7
Compliance ProgramThe comprehensive program
information security policy (covers variousaspects including how to deal with breaches ofinformation)use of information assets/resourcesrecord retention policyemployee policies/handbook to the extent theyaddress confidentialitydisaster recovery/business continuity plans
Page 8
Compliance ProgramInformation Governance Committee – who?
CIOLegal/ComplianceFinanceHRRisk ManagementContract/Vendor ManagementBusiness Unit Owners – But Who to Invite?
5
Page 9
Compliance ProgramRisk AssessmentsDue DiligenceContinuous Monitoring, Detection, Adjustment andUpdatingIncident Response Plans and DocumentationTrainingOversee Service Providers (Outsourcing)Board of Directors – Which committee?Franchise Systems
Page 10
Contracting Approach• Approach is evolving
• Reasonable standard vs. strictliability
• Scope of employment vs. merepossession
• Detection/penetration testing
6
Page 11
Contracting Approach
Incident response obligations• Who notifies - independent vs. coordinated
response
• Managing different views on obligations
• Indemnification
• Remediation costs
• Have you built the contractual obligations into youroverall incident response plan?
Page 12
For More Information aboutCompliance Programs and
Contracting
Contact:
Vinnie Sanchez(312)368-3420
7
Page 13
What Technology is Available toMitigate the Risks?
Traditional Security TechnologyWeb FilteringInformation Leak Protection
Page 14
91%
9%
Business Systems
Security Infrastructure
Breaking Down the IT Budget
On average, only 6-9% of an ITbudget is applied to security; theremained is spent on enablingbusiness operations
Roughly 40% of the annual ITsecurity budget goes to newsecurity technologies
Remaining goes to upgradetraditional solutions
Source: Forrester Research
8
Page 15
Integrated Approach to Information Security
Objective: Create a safe and productive computing environment by protectingemployees and data from internal and external threats
TROJAN HORSES
KEY LOGGING
SPYWARE VIRUSES
WEB-BASED THREATS
MALICIOUS CODE
EMPLOYEE ERROR MALFEASANCE
MAD E
MPLO
YEE BAD PROCESS
Page 16
Traditional Security Technologies
AntivirusFirewallsIDS/IPSSecurity Event Management
9
Page 17
Trojan horse captured data on 2,300 OregontaxpayersBy Todd Weiss, Computerworld, 06/15/06
The Oregon Department of Revenue has been contacting some2,300 taxpayers this week to notify them that their names,addresses or Social Security numbers may have been stolen by aTrojan horse program downloaded accidentally by a former workerwho was surfing pornographic sites while at work in January.surfing pornographic sites
Compliance and Risk Management
Inappropriate Use • Written policies require means of enforcement
External Threats • Increase regulatory risk and inhibit corporate governance
Data Leakage• PII (Personally Identifiable Information)• State Breach Notification Laws
Trojan horse program downloadedaddresses or Social Security numbers may have been stolen
their names,
Page 18
Web Filtering
Manages Access to the WebBlocks Outgoing ConnectionsHelps prevent introduction of “unwanted stuff”Adds to network securityHelps support employee productivityCustomizable by the customer
10
Page 19
Top 10 Web Security “MUST HAVES”
1. Relevant Block Web Threats2. Innovative World-class Technology3. Proactive Anticipate Evolving Threats4. Real-time Responsive to the Web5. Control Manage Multiple Protocols6. Enforce Powerful Policy Framework7. Alert Immediate Notification8. Report Empower Management9. Integrate Maximize Your Investments10. Extend Manage Your Exposure
Page 20
Your Data
FinancialRegulated
CustomerConfidential
“The average data breach costs companies $5 million” – Network World, 2006
Customer Service
Legal
R&D
HR
Contractors
Sales
11
Page 21
Dataat
Rest
Dataat
Rest
Datain
Use
Datain
Motion
BlockEncryptQuarantineNotify
!
Remediate
a11
b12
SMTP HTTP/S FTP IM Internal Mail
Print Custom Channels
Discover
Monitor
Protect
Page 22
Content/Context Awareness; map to workflows; inclusive of proprietary data
DetectionAccuracy
Coverage of all data types, vectors,for both internal and external communications
EnforcementCapabilities
Granular, rule-based policy administrationtied to data, users, regulations; auto-updating
Policy Adminand Updating
Discovery, Monitoring, prevention andenforcement in one solution; risk analysis
Manageabilityand Reporting
12
Page 23
PROTECT YOUR DATAPROTECT YOUR CUSTOMERSPROTECT YOUR BUSINESS
For questions or more information,about the technology contact:
Karen [email protected]
858.320.9263
Thank you for attending another presentation fromACC’s Desktop Learning Webcasts
Please be sure to complete the evaluation form for this program as your comments andideas are helpful in planning future programs.
You may also contact Sherrese Williams at [email protected]
This and other ACC webcasts have been recorded and are available, for one year after thepresentation date, as archived webcasts at www.webcasts.acc.com.
You can also find transcripts of these programs in ACC’s Virtual Library atwww.acc.com/vl