Protecting Export-Controlled Data: How to Effectively Prepare for and Respond to Cybersecurity Incidents

18 February 2016

www.hoganlovells.com

Today’s Speakers

M. Peter Adler

H. Deen Kaplan

Partner, Washington, D.C.

Hogan Lovells

2

Ajay Kuntamukkala

Partner, Washington, D.C.

Hogan Lovells

Michael J. Scheimer

Associate, Washington, D.C.

Hogan Lovells

www.hoganlovells.com

Agenda

• Overview of the Cyber Threat Landscape

• The Cyber – Export Control Nexus

• Overview of the U.S. Policy and Legal Landscape

• Industry Best Practices for Cybersecurity Programs

• Responding to a Cyber Breach

• Presenter Biographies

3

4

Overview of the Cyber Threat Landscape

www.hoganlovells.com

The Cyber Threat Landscape

5

www.hoganlovells.com

The Threat Landscape: Costs of Cyber Intrusions?

• Remediation and Reporting Obligations

• Substantial costs associated with cyber intrusions

– Theft of intellectual property and trade secrets

– Reputational damage

– Customer loss

– Costs of litigation and regulatory enforcement actions

• One calculation of the “average” cost of a cyber breach

involving individual information that is lost or stolen

– $217 per record

– $6.5 million overall

• Detection and escalation

• Notification

• Ex-post response and remediation

• Lost business

6

Source: 2015 Ponemon Institute Research Report

www.hoganlovells.com

The Threat Landscape: Costs of Cyber Intrusions?

• The Broader Picture:

– A 2014 CSIS Report estimated the likely annual cost to

the global economy from cybercrime and cyber espionage

is more than $400 billion

– General Alexander, then-head of the NSA, said in 2012

that the loss of industrial information and intellectual

property through cyber espionage the “greatest transfer of

wealth in history”

7

8

The Cyber – Export Control Nexus

www.hoganlovells.com

The Cyber – Export Control Nexus

• Every company has an interest in protecting its and its

customers’ proprietary, confidential, or controlled data from

cyber attacks

• Cyber attacks on companies can lead to U.S. Government

scrutiny and penalties if their networks contain data subject

to U.S. export controls that was accessed by unauthorized

foreign persons

– Technical data subject to the International Traffic in Arms

Regulations (ITAR)

– Commercial/dual-use software or technology subject to

the Export Administration Regulations (EAR)

– Technology subject to Department of Energy (DOE)

export controls

9

10

Overview of the U.S. Policy Landscape

www.hoganlovells.com

The Broader U.S. Policy Landscape

11

Cybercrime is becoming everything in crime … [B]ecause people have

connected their entire lives to the Internet, that's where those who want to

steal money or hurt kids or defraud go. So it's an epidemic for reasons that

make sense.

-- FBI Director James Comey

www.hoganlovells.com

Structure of U.S. Export Control Laws

12

State Department Directorate of Defense Trade Controls (DDTC)

International Traffic in Arms

Regulations (ITAR)

Military/intelligence

Commerce Department Bureau of Industry and

Security (BIS)

Export Administration

Regulations (EAR)

Commercial and “dual-use”

Energy Department

National Nuclear Security Administration

(NNSA)

Part 810 Regulations

Nuclear technology

www.hoganlovells.com

Export Control Requirements for Data Breaches?

• Export control laws do not expressly address data breaches

or provide specific guidance on how to protect data located

on IT systems

• ITAR

– The State Department takes a broad view of “exports”

• ITAR-controlled data released or stored on servers outside US or

releases of data to non-US persons are “exports” that require

authorization

– Release of ITAR-controlled data to countries subject to U.S.

arms embargoes (or nationals thereof) requires mandatory and

immediate disclosure to the State Department (ITAR

126.1(e)(2))

• Example: Data breaches involving the release of ITAR-controlled

data to China would require mandatory reporting to the State

Department

13

www.hoganlovells.com

Export Control Requirements for Data Breaches?

(cont’d)

• EAR

– Similarly broad view of “exports”

– Actual transfers versus constructive access

– Process for voluntary self-disclosures – no mandatory reporting

• DOE

– Very interested in data breaches involving controlled nuclear

technology

– Strongly encourages self-reporting of data breaches to DOE

– Nuclear power plants also may be subject to reporting

requirements to the Nuclear Regulatory Commission depending

on nature of data released

14

www.hoganlovells.com

The U.S. Policy Landscape –

Proposed Revisions to Definitions in EAR and ITAR

• As part of ECR, a proposed rule was issued on June 3, 2015 to

revise certain definitions in the EAR to enhance clarity and ensure

consistency with the ITAR; comparable changes to certain

definitions were concurrently proposed for the ITAR

• Proposed new Section 734.18 of the EAR and Section 120.52 of

the ITAR, each relating to activities that are not exports, reexports,

and transfers, include an important new provision pertaining to

encrypted technology and software

– Paragraph (a)(4) of the EAR and paragraph (a)(4)(ii) of the

ITAR each establish a specific carve-out from the definition of

“export” the transfer of technology and software that use “end-

to-end” encryption

• The intent of this requirement is that the relevant technology

or software is encrypted by the originator and remains

encrypted until it is decrypted by the intended recipient 15

www.hoganlovells.com

The U.S. Policy Landscape –

Restrictions for Items Related to “Intrusion Software”

• The Commerce Department published proposed

amendments to the EAR in May 2015 to implement changes

adopted by the Wassenaar Arrangement

• Proposed rules would create new restrictions and

requirements for the export of hardware, software, and

technology related to “intrusion software” (but not “intrusion

software” by itself)

– Proposed rules are deliberately broad in scope, capturing

a range of items that use intrusion software to identify

vulnerabilities of computers and network-capable devices

• Export license would be required for all destinations except

Canada

16

www.hoganlovells.com

The U.S. Policy Landscape –

Cybersecurity Requirements for DOD Contractors

• DOD issued an interim rule on August 26, 2015 to implement baseline

safeguarding using NIST 800-171 for “covered defense information” and

rapid reporting requirements of cybersecurity incidents for all contractors

and subcontractors (including commercial contractors)

– “Covered Defense Information” includes, among other categories, export controlled

information (which is defined broadly)

– Mandatory rapid reporting = within 72 hours

– Mandatory flow-down requirements for contractors and subcontractors

– Dec 30, 2015 revision allows contractors until Dec 2017 to fully implement 800-171

safeguarding standards (but contractor must tell DOD within 30 days of contract award

what 800-171 standards are not in place)

• DOD issued an interim rule on October 2, 2015 for contractors and

subcontractors participating in DOD’s Defense Industrial Base (DIB)

cybersecurity activities program, aligning cybersecurity reporting

requirements with those in the August 26 rule

– Mandatory rapid reporting = within 72 hours

– Broader applicability – applies to all forms of contracts or other agreements between

DOD and DIB companies

17

www.hoganlovells.com

The U.S. Policy Landscape –

DOD Cloud Computing Requirements

• DOD’s August 26, 2015 interim rule also includes

requirements related to cloud computing services:

– Requires providers to establish certain administrative,

technical and physical safeguards

– Data must be stored in the U.S..

– Contractors must represent to the U.S. Government if they

are using cloud services

• Mandatory reporting of cybersecurity incidents related to

cloud computing service

• Requirements flow-down; the DFARS clause must be

included in subcontracts potentially involving cloud services

18

www.hoganlovells.com

The U.S. Policy Landscape –

Controlled Unclassified Information Proposed Rule

• Under E.O. 13556, Controlled Unclassified Information, Nov 4, 2010, the National

Archives and Records Administration (NARA) leads the national CUI program.

• Program addresses government-wide issues (inconsistent markings, inadequate

safeguarding, needless restrictions) by standardizing safeguarding procedures

and by providing common definitions through the CUI Registry.

– Export controlled information is a category on the CUI Registry; currently uses

broad definition that matches DOD rule

• The CUI Program’s three part implementation plan:

– 1. Finalize the proposed CUI rule in 32 CFR § 2002

• Proposed rule issued May 2015; final rule expected early 2016

– 2. Finalize NIST 800-171

• Finalized June 2015; DOD’s August 2015 rule requires contractors to use

800-171

– 3. Release a single Federal Acquisition Regulation (FAR) rule on CUI

safeguarding.

• FAR clause will extend CUI cybersecurity safeguarding requirements

similar to DOD rule to non-DOD contractors

19

www.hoganlovells.com

CUI Safeguards for Breach Response

It is anticipated that the CUI Basic Safeguards, including breach response

will be guided by NIST SP 800-17

• NARA and NIST collaborated on the SP 800-171 and on the final CUI rule

20

CUI SECURITY REQUIREMENTS

3.6 INCIDENT RESPONSE

NIST SP 800-53 r.4

3.6.1 Establish an operational incident-

handling capability for organizational

information systems that includes adequate

preparation, detection, analysis, containment,

recovery,

• IR-2 Incident Response Training

• IR-4 Incident Handling

• IR-5 Incident Monitoring

• IR-6 Incident Reporting

• IR-7 Incident Response Assistance

3.6.2 Track, document, and report incidents to

appropriate organizational officials and/or

authorities

3.6.3 Test the organizational incident response

capability.

• IR- 3 Incident Reponses Testing and Coordination

with other plans

Note: Incident response policies and procedures (IR-1) and planning (IR-8) are expected to

be satisfied without NIST specifications.

www.hoganlovells.com

The U.S. Policy Landscape –

Authorization of Cybersecurity Sanctions

• President Obama issued E.O. 13694 on April 1, 2015

authorizing economic sanctions against the perpetrators of

“malicious cyber-enabled activities”

– This authority provides a broad mandate for the U.S.

Government to block the property and interests in property

in the U.S. of the perpetrators of significant cyber attacks

– Intended to deter future cyber-enabled attacks against

critical infrastructure and the private sector

– Issued without an initial set of designations and no

designations have been made to date

• E.O. 13687, issued on January 2, 2015, imposes economic

sanctions on certain North Korean persons in response to

cyber attacks against Sony Pictures

21

22

Preparing for a Cybersecurity Incident Involving

Regulated Data: Industry Best Practices

www.hoganlovells.com

What does Preparedness Mean for Your Company?

23

Assess Risk and Prepare

Develop Policies and Governance Mechanisms Set the

Tone from the

Top

Have the Right

People in Place

Conduct Periodic

Risk Assessments

Plan Response

Confirm Adequate

Safeguards Are in Place

Conduct Exercises to

Assess Preparedness

Evaluate Insurance Coverage

www.hoganlovells.com

Tailoring “Best Practice” Controls to Protect Export

Controlled Data

• Technical Controls

– Information Management

– Information Protection

– Information Access

– Monitoring and Review

• Legal, Regulatory and

Contractual Controls

– Internal Tracking

– Documentation

– CUI Rule/NIST SP 800-171

– FAR and DFARS

24

• Governance

– Data Oversight

– Enterprise Engagement

– Risk Management

Process

– Audit Process

• Business Controls

– Identity Management

– Access Control

– Personnel and Asset

Management

• Physical Controls

– Secure Areas

– Equipment Security

25

Responding to a Cybersecurity Incident

www.hoganlovells.com

Pathology of a Major Cyber Incident

26

Internal Incident Response & Investigation

Regulatory Inquiries and Investigations Related to Export Controlled Data

Shareholder Litigation

Vendors/Forensic Experts

Coordination with Law

Enforcement/FBI

Insurance Coverage Investigation

Notification

Media Inquiries, Public Relations,

and Customer Inquiries

Congressional Investigation and

Inquires

FTC Information Inquiry or Civil Investigative

Demand

Consumer Litigation State Attorneys

General Investigation

State Regulatory Investigations

International Regulatory Inquiries and Investigations

SEC Investigation and 10-K/10-Q

Statements Information Sharing

www.hoganlovells.com

Important Considerations for Export Controlled Data

• How will you know if your export controlled data has been

compromised?

– Has your technology been classified? What is controlled

and by which regime?

– Where is your controlled technology located?

• Does your Incident Response Plan incorporate export control

considerations?

– Is your Incident Response Team aware of requirements

relating to export controls?

– Have you involved the Legal/Trade Compliance team?

– Training for Incident Response Team on export controls?

27

www.hoganlovells.com

Important Considerations for Export Controlled Data

(cont’d)

• Do you have a plan for post-incident legal

coordination regarding regulatory requirements and

inquiries following a breach? – If you have ITAR-controlled data, do you have a process

for reporting breaches involving China or other arms-

embargoed countries?

– Do you have a process for assessing whether to self-

disclose other breaches involving export controlled data?

– If you are a government contractor or subcontractor, are

you prepared to meet DOD rapid reporting requirements?

Self-disclosure is a legal not technical process – need to

involve Legal/Trade Compliance

28

www.hoganlovells.com

Next Steps in Preparedness

• Internal Assessment

– Maturity of Cybersecurity Program and People

– Defined Responsibilities

– Assessment of Compliance Program for Export

Controlled Data

• Policies and Procedures

– Integrated and Reinforcing Approach between

IT/Cybersecurity Policies and Procedures and Export

Control-Related Policies and Procedures

• Testing of People, Processes, and Technical Controls

• Coordination with Appropriate Vendors/ Experts

29

www.hoganlovells.com

Questions / Discussion

30

31

Presenter biographies

Hogan Lovells

M. Peter Adler

Peter Adler has a passion for privacy and cybersecurity law. He has extensive experience

helping clients comply with state, federal and international laws, regulations, rules and standards

that are relevant to information security, privacy and data protection. He has pursued his passion

in a wide-range of market sectors, including financial services, healthcare, retail, higher

education, government contractors and international business. His experience includes:

• Worked directly with the Office of Personnel Management (OPM), and Senate and House Oversight Committees on

the recent OPM breaches, representing SRA;

• Worked as the Chief Privacy Officer for the largest health plan in the country, including managing compliance with

U.S. and international privacy laws, including HIPAA, international data transfers and financial services privacy and

security regulations;

• Performed as interim Chief Information Security Officer (CISO) for the University of Colorado;

• Led a large and successful national HIPAA compliance team that provided services for over 250 health care entities

including the University of Texas Medical Centers, American Medical Response and Ascension Health;

• Performed privacy and security due diligence in business transactions, contracts, mergers and acquisitions and

initial public offerings;

• Provided security breach advice and services to a large national bank and advised other financial services entities

on GLBA, FACTA, and FCRA, and Federal Trade Commission (FTC) enforcement activities;

• Worked with retail establishments on the Payment Card Industry Data Security Standards (PCI-DSS) and FTC

regulations;

• Provided privacy and information security assessment and compliance services for the Commonwealth of

Massachusetts, the City of Chicago and Sun Microsystems (now Oracle); and

• Served as incident response counsel for entities insured by a large cyber insurance carrier and separately advised

companies on cyber insurance coverages.

Peter is General Counsel and a member of the Board of Directors of Data Guardian Pros. Prior

to that Peter was the Vice President, Deputy General Counsel and Chief Privacy Officer for SRA

International, Inc. (SRA). SRA was a mid-sized government contractor serving defense,

intelligence, homeland security and civilian agencies.

He attended Georgetown University Law Center, where in 1993 he received his Master of Laws

(LL.M.), International Law, with distinction. He received his Juris Doctor (J.D.) from William

Mitchell College of Law and his Bachelor of Science (B.S.) in communications from Ohio

University. He has been certified as an information privacy professional (CIPP) since 2002 and

he passed the certified information systems security professional (CISSP) examination in 2001.

32

M. Peter Adler mpeter.adler@gmail.com

Hogan Lovells 33

H. Deen Kaplan, Partner, Hogan Lovells

Washington, D.C.

Deen Kaplan, a director of the Hogan Lovells international trade and investment group,

represents businesses and governments in a wide range of international trade and investment

disputes, cybersecurity and cyber policy-related matters, customs/security related issues, and

trade policy matters. Deen acts on behalf of clients in several fora, including dispute settlement

proceedings before the World Trade Organization (WTO), the London Court of International

Arbitration (LCIA), U.S. and Chinese government-led investigations and appeals, and trade-

related bilateral and multilateral negotiations. Deen's trade-focused areas of concentration

include international arbitration, security and trade, trade in technology products, government-

related disputes, subsidy law policy, WTO matters, and countervailing and antidumping duty

litigation.

In his cybersecurity practice, Deen has assisted clients in effectively addressing a range of

international incidents and security-related matters. These include managing overall incident

responses, threat detection and mitigation strategies, cyber-risk legal planning, determining and

managing notification obligations, and long-term secure data strategies. Deen has managed

incident responses involving multiple countries, including legal and technical coordination across

several continents. Deen has worked closely with corporate general counsel, dedicated internal

IT staff, outside security consultants and law enforcement authorities in North America, Europe,

and Asia.

Deen serves as co-chair of Hogan Lovells Technology Committee and a member of the global

Core Technology Group that helps manage the firm’s technology policies and resources across

more than 45 offices. Deen also brings to bear nearly a decade's worth of practical experience in

the business and nonprofit sectors, including service as an executive in computer hardware,

software development, and consulting businesses.

Deen is the associate editor of the Kluwer Law International ITA Monthly Report, an international

arbitration law journal published in association with the Institute for Transnational Arbitration. He

also lectures regularly on international trade and investment issues and teaches international

trade and dispute law at the University of Maryland School of Law as a member of the adjunct

faculty. The 2007 edition of Chambers USA lauds Deen as "unbelievably smart," noting his role in

one of the world's largest trade disputes and his capacity to "blow clients away" with his work.

H. Deen Kaplan Partner, Washington, D.C.

T +1 202 637 5799

deen.kaplan@hoganlovells.com

PRACTICES

International Trade and Investment

Privacy and Cybersecurity

International Arbitration

INDUSTRY SECTORS

Technology

Aerospace, Defense, and Government Services

Automotive

Aviation

EDUCATION

J.D., magna cum laude, Order of the Coif,

Georgetown University Law Center, 1997

M.Div., cum laude, Gordon Conwell Seminary,

1986

B.A., magna cum laude, Duke University, 1982

Hogan Lovells 34

Ajay Kuntamukkala, Partner, Hogan Lovells

Washington, D.C.

Ajay Kuntamukkala assists clients with a range of regulatory and policy matters involving

international trade and national security, including export controls, economic sanctions, defense

trade, international trade policy, and antibribery matters. Ajay's practice ranges from counseling

clients on complying with the relevant trade and sanctions laws and regulations, designing and

implementing compliance programs, obtaining government licenses and authorizations, and

assisting clients with government investigations and enforcement proceedings related to trade

and sanctions matters. In this regard, he represents clients before the U.S. Departments of State,

Treasury, Defense, Commerce, Energy, and other agencies. Ajay also counsels clients on

international trade policy and legislative matters and on compliance with the Foreign Corrupt

Practices Act (FCPA).

In addition, Ajay is a member of Hogan Lovells' India working group and helps to coordinate the

firm's India-related activities.

Ajay rejoined the firm after serving as Senior Advisor to the Undersecretary of Commerce for

Industry and Security from 2003 to 2005. At the U.S. Department of Commerce, he counseled

the Undersecretary on a range of issues at the intersection of international trade and national

security, including U.S. export control policy and high-technology trade. He also assisted the

Undersecretary with the agency's international initiatives, including coordinating U.S. government

and industry efforts under the U.S.-India High Technology Cooperation Group to expand high-

technology trade with India. This included assisting with U.S. and Indian government negotiations

concerning the End-Use Verification Agreement and the Next Steps in Strategic Partnership

initiative, which involved policy changes and other measures in the areas of civil space, civil

nuclear, defense, and high technology. In addition, he served as the Undersecretary's appeals

coordinator, presiding over informal hearings and advising the Undersecretary on the disposition

of administrative appeals and enforcement proceedings.

Prior to his service at the Department of Commerce, Ajay was an associate at Hogan Lovells

from 2000 to 2003.

Ajay is active in local community affairs. He was appointed by the Governor of Maryland to serve

on the Governor's Commission on Asian Pacific American Affairs. He has also served as the

President of the South Asian Bar Association of Washington, D.C.

Ajay Kuntamukkala Partner, Washington, D.C.

T +1 202 637 5552

ajay.kuntamukkala@hoganlovells.com

PRACTICES

International Trade and Investment

India

Energy

Education

INDUSTRY SECTORS

Technology

Aerospace, Defense, and Government Services

Education

Energy and Natural Resources

Life Sciences

Technology, Media and Telecoms

EDUCATION

J.D., Georgetown University Law Center, 2000

M.P.P., Harvard University, 1998

B.A., summa cum laude, Boston College, 1995

Hogan Lovells 35

Michael J. Scheimer, Associate, Hogan Lovells

Washington, D.C.

Michael Scheimer is an associate in our Washington, D.C. office, advising clients on government

contract matters with a particular focus on defense, information technology, and intelligence

contracts.

Michael has extensive experience with government contract cybersecurity issues, including

federal cloud computing programs, contractor data breach reporting, information sharing between

government and industry, contractor handling of classified and controlled unclassified

information, and government information system security accreditation processes. He also has

experience in international contracting issues, including Foreign Military Sales, contractors

operating in foreign countries, and multinational defense procurement programs. He has worked

on government-contract software rights and industrial security issues in numerous M&A

transactions.

He has also advised government contractor clients on export control issues, technology transfers,

government sanctions, and required contractor certifications and disclosures under domestic

sourcing laws including the Trade Agreements Act, Buy American Act, and the Berry

Amendment.

Prior to joining Hogan Lovells, Michael worked for a major defense contractor in a number of

positions. His most recent assignment was as a legal analyst in the Department of Defense

(DoD) Office of the General Counsel, International Affairs, where he reviewed DoD international

armaments cooperation efforts in R&D activities and international acquisition programs. Prior to

that, he was a national security policy analyst in the Office of the Under Secretary of Defense for

Acquisition, Technology, and Logistics, where he reviewed strategic systems acquisitions

including ballistic and cruise missiles, space and cyberspace systems, and missile defense

programs. He assisted in the New START arms control agreement negotiations and other arms

control, non-proliferation, and cooperative threat reduction programs. Prior to that, Michael was

an acquisition policy analyst in the Office of the Assistant Secretary of the Army for Acquisition,

Logistics, and Technology, where he reviewed UAS programs and counter-IED systems.

While in law school, Michael was the Symposium Editor for the American University International

Law Review and a Board Member of the National Security and Law Society.

Michael J. Scheimer Associate, Washington, D.C.

T +1 202 637 6584

michael.scheimer@hoganlovells.com

PRACTICES

Government Regulatory

Government Contracts

INDUSTRY SECTORS

Aerospace, Defense, and Government Services

Technology, Media and Telecoms

Technology

EDUCATION

M.A., American University, School of International

Service, 2012

J.D., American University, 2010

B.A., College of William & Mary, 2004

www.hoganlovells.com

"Hogan Lovells" or the "firm" is an international legal practice that includes Hogan Lovells International LLP, Hogan Lovells US LLP and their affiliated businesses.

The word "partner" is used to describe a partner or member of Hogan Lovells International LLP, Hogan Lovells US LLP or any of their affiliated entities or any employee or consultant with equivalent standing. Certain individuals,

who are designated as partners, but who are not members of Hogan Lovells International LLP, do not hold qualifications equivalent to members.

For more information about Hogan Lovells, the partners and their qualifications, see www.hoganlovells.com.

Where case studies are included, results achieved do not guarantee similar outcomes for other clients. Attorney Advertising.

© Hogan Lovells 2016. All rights reserved.

*Associated offices

Hogan Lovells has offices in:

Alicante

Amsterdam

Baltimore

Beijing

Brussels

Budapest*

Caracas

Colorado Springs

Denver

Dubai

Dusseldorf

Frankfurt

Hamburg

Hanoi

Ho Chi Minh City

Hong Kong

Houston

Jeddah*

Johannesburg

London

Los Angeles

Luxembourg

Madrid

Mexico City

Miami

Milan

Minneapolis

Monterrey

Moscow

Munich

New York

Northern Virginia

Paris

Perth

Philadelphia

Rio de Janeiro

Riyadh*

Rome

San Francisco

São Paulo

Shanghai

Silicon Valley

Singapore

Sydney

Tokyo

Ulaanbaatar

Warsaw

Washington DC

Zagreb*