Transcript Lisa, Sotto - Cyber Policy and Legal Environment

EEI: Cybersecurity Law Conference
Lisa J. Sotto
Hunton & Williams LLP
(212) 309-1223
[email protected]
www.huntonprivacyblog.com
October 24, 2014
Paul M. Tiao
Hunton & Williams LLP
(202) 955-1618
[email protected]
The Privacy and Cybersecurity Team
at Hunton & Williams
• Over 25 privacy professionals in the U.S., EU and Asia
• Our privacy clients have included 6 of the Fortune 10
• Representing clients across multiple industry sectors, including
energy, retail, transportation, consumer products, publishing,
financial services, technology, advertising, health care and
pharmaceutical
• Centre for Information Policy Leadership at Hunton & Williams
• www.HuntonPrivacyBlog.com
•
@hunton_privacy
Roadmap
• Introduction
• Cyber Threat Landscape – Setting the Stage
• The Legal and Policy Environment
– U.S.
– EU
• Lessons Learned
3
A Sampling of Recent Global Headlines
1 August 2013
Another wave of DDOS attacks on
Financial Institutions launched but
deemed to have little impact
3 April 2014
5 May 2014
Heartbleed bug announced
– related breaches
uncovered
French Telco reports 2nd
breach in past several
months
2 December / January 2013
Several U.S. retailers and a UK
announce significant credit card
breaches
4 April 2014
Worst data breach in German history
identified; 18+ million email
passwords compromised
7
May 2014
Ebay Breach – investigations in
the US and UK anticipated
6
May 2014
Target CEO resigns; the
company’s breach response
cited as a contributing factor
4
The Cyber Threat Landscape
• Threat Actors
• Threat Vectors
• Targeted Information and Systems
5
A Year In Review
•
•
Recent Compromises
– Target
– Neiman Marcus
– Michaels
– The UPS Store
– Goodwill
– The Home Depot
– JPMorgan Chase
Recent Government Activity
– Congressional inquiries
– Calls for FTC action
– PLA indictment
6
Legislative and Policy Environment
• Congressional attempts to pass cybersecurity legislation
– Numerous efforts to pass a cybersecurity law
– Key legislative issues
– Failure to pass legislation in 2012 provided impetus for the 2013
Executive Order on Improving Critical Infrastructure Cybersecurity
7
Executive Order on
Improving Critical Infrastructure Cybersecurity
• Cybersecurity Framework
– Voluntary program, including incentives
• Information sharing
• Identification of critical infrastructure for which a cybersecurity attack
could have catastrophic effects
• Agencies to determine whether existing regulations are sufficient and
take regulatory action to address deficiencies
• Use of the federal procurement process to encourage contractors to
enhance information security practices
• Consideration of privacy and civil liberties issues
8
Cybersecurity Framework
•
•
•
•
NIST published final version of Cybersecurity Framework on Feb. 12, 2014
– Framework Core
– Implementation Tiers
– Framework Profile
– Privacy appendix in preliminary Framework (Oct. 2013) stricken from final
Extensive public input
– Five widely-attended workshops
– Request for Information
– Many comments on the preliminary version of the Framework
Likely benchmark in regulatory, enforcement and litigation context
Future workshops and versions
9
A Life-Cycle Methodology
10
Function Categories
6 Functions, 22 Categories, 98 Sub Categories
Identify – Asset management, business environment, governance, risk
assessment, risk management
Protect – Access control, awareness & training, data security, process
& procedures, maintenance, protective technologies
Detect – Anomalies & events, continuous monitoring, detection
processes
Respond – Response planning, communications, analysis, mitigation,
improvement
Recover - Recovery planning, improvements, communications
11
Framework Profile
* This same roadmap visualization can be applied to the categories and subcategories within each function.
12
Electric Utility Issues
• Industrial Control Systems
• Smart Grid
• Information Sharing Groups
– Electricity Subsector ISAC
– Downstream Natural Gas ISAC
• Cyber insurance for operational technology
13
Federal Agency Information-Sharing Programs
• DHS
– National Cybersecurity and Communications Integration Center (NCCIC)
• US-CERT
• ICS-CERT
– Cybersecurity Information Sharing and Collaboration Program (CISCP)
• FBI
– Cyber Division & FBI Field Offices
– National Cyber Investigative Joint Task Force
– National Cyber and Forensics Training Alliance
– Domestic Security Alliance Council
– InfraGard
• DOE
– Cybersecurity Risk Information Sharing Program (CRISP)
14
Public-Private Information Sharing Issues
• Standard Agreements
– DHS Cooperative Research and Development Agreement
– FBI Memorandum of Agreement and Non-Disclosure Agreements
• Information sharing rules and procedures
• Information handling restrictions
• Protection from disclosure under FOIA
• Implications for regulatory enforcement
• Prosecutorial implications
• Privacy risks
15
Data Security Rules
•
•
•
Federal Law
– FTC Act
– Gramm-Leach-Bliley
– HIPAA/HITECH
– FACTA Disposal Rule
State Requirements
– MA, NV, CA and progeny
– Breach notification laws
Industry Standards
– PCI DSS
– ISO
– NIST
16
Utility-Specific Cybersecurity Requirements
• Version 5 Critical Infrastructure Protection Reliability
Standards
– Expanded scope of covered cyber systems
– Categorization of systems by impact on reliability
– Enforcement date – April 2016
• NERC Physical Security Standards
17
Legal Obligations
• Understand your legal obligations arising out of a cyber event
– Breach notification and other obligations
• State, federal, international law
• Industry standards
• Contractual obligations
• SEC reporting
18
State Breach Notification Requirements
• Generally, the duty to notify arises when unencrypted computerized
“personal information” was acquired or accessed by an unauthorized
person
• “Personal information” generally is an individual’s name plus:
– Social Security number
– Driver’s license / state ID card number or
– Account, credit or debit card number, along with password or
access code
• Service providers must notify data owners of security breaches and
some states require “cooperation” with the data owner
19
Variations in State Breach Laws
– Definition of PI
– Computerized v. paper data
– Notification to state
agencies
– Notification to CRAs
– Timing of individual
notification
– Harm threshold
– Content of notification letter
– Preemption
– New CA requirements
20
SEC Cybersecurity Guidance
• Companies are not disclosing enough
– The SEC is cracking down
• Vast majority of companies that did address cyber issues used only
boilerplate language
– Some hacking victims said nothing
• Disclosures often don’t give a genuine sense of the risk
– Cyber attacks are included as one of many potentially
catastrophic events
21
SEC Enforcement Efforts
• SEC is now formally investigating companies’ cyber disclosures
– Focused on whether investors appropriately informed
– Probes are not public
– Target is reported to be facing scrutiny
– Prospect of enforcement actions
22
EU Cybersecurity: Regulatory Efforts
•
•
•
•
On February 7, 2013, the EC issued a draft directive on cybersecurity
Once adopted, member states will have 18 months to implement the Directive
The aim of the Directive is to
– Achieve European cyber resilience
– Drastically reduce European cybercrime
– Develop common European cyber defense policies and resources
– Establish a coherent European cyberspace policy and promote core EU values
The Directive would require EU competent authorities to cooperate, share
information, and coordinate responses
23
EU Cybersecurity: Breach Reporting
• The Directive would require companies in “critical” sectors to adopt
strict network security standards and report “significant” cybersecurity
incidents
• The proposals encompass a broad section of industry sectors,
including non-essential services such as YouTube and Spotify
• The proposals do not clearly distinguish between targeted
cybersecurity incidents and other types of breaches
• The breach reporting requirements are not harmonized with existing
and anticipated breach reporting requirements under the EU EPrivacy Directive and the proposed EU General Data Protection
Regulation
24
Global Breach Notification Requirements
• Breach notification requirements and guidance emerging
across the world
– 30+ countries outside the U.S. now require or strongly
recommend notification
• Federal and provincial standards in Canada
• Several countries in Europe (including Germany)
• All major countries in Asia and Oceania (including Australia,
Hong Kong, India)
25
1
Data Breach Response Timeline
Event
2
Mobilize
3
Legal Posture
4 Law Enforcement
5
Stabilize
6
Investigate
7
Legal Analysis
8
Notify
9
Regulatory
Response
10
Lawsuits
11 Review & Improve
26
Lisa J. Sotto
Partner
Chair, Privacy and Cybersecurity
Practice
Hunton & Williams LLP
(212) 309-1223
[email protected]
Paul M. Tiao
Partner
Hunton & Williams LLP
(202) 955-1618
[email protected]
27