Transcript Protecting Your Good Name

Cyberliability
Introduction and Overview
 Overview
– History
– The Problem: Escalating Risks from Internet
Connectivity
– Cyberliability
•
•
•
•
•
•
Discrimination
Harassment
Information Leaks
Offensive Content
Defamation and Libel
Spam
 Overview
– Monitoring Internet Usage: Employer’s
Rights and Responsibilities
– Internet Usage Policy Quiz
– Policies, Management Support
– E3 + E3
A quick update…
The Internet is Changing Today’s
Business Model
Internet
Suppliers
Branch
Office
LAN
WAN
Customers
Intranet
Telecommuters
No More Business as
Usual…
New Business Model
New Rules for a New
Type of Business. . .
 Instant access to information
 Speed of execution is critical
 24 hours per day (7X24)
 Global competition & access
 Provide information without barriers
 End-to-end security
It is Not a Luxury, it’s a Competitive Reality
The Internet is Changing Today’s
Business Model
Internet
Suppliers
Branch
Office
LAN
WAN
Customers
Intranet
Telecommuters
There is one enterprise and it’s global.
There is one network and it’s the Internet.
In the near future…
 By the year 2002, more than 88 million
users in the United States will be
connected to the Internet at work, using
it as a tool for e-commerce, marketing,
supply chain management, remote site
connectivity and customer support.
(Source: Estats, 1999
 Once connected, these users will have
the ability to:
– Disseminate product and company
information at a faster rate
– Communicate instantly across geographic
boundaries
Once connected, these
users will have the ability to:
(cont.)
– Lower the costs of providing information
and services
– Share information with partners and
vendors
– Leverage the power of e-commerce and
multimedia applications
You’re not paranoid, they are out
to get you…
Who are We Protecting Ourselves
From?
 Hackers/Crackers/Phreakers
 Interior or Exterior attack
 Corporate Raiders
 Competitive Intelligence gathers
 Legitimate or Illegitimate inquiries
 Contractors
 Hacktivist
 Information Warfare
More risk…
Sources of Internet & Intranet
Risk:
 Web surfing
 Email
 Downloads
 Spam
 Newsgroups
Cyberliability
Cyberliability
 Cyberliability:
“legal proceedings and related
costs due to unmanaged Internet
& intranet use, including email, web surfing, ftp,
newsgroups and spam.”
For Example…
 Cyberliabilty:
– Legal liability: case preparation fees
– Legal liability: settlement or
damages
– Damaged image or brand
– Lower shareholder value
 Other Risk
– Decreased employee productivity
– Productivity slowdown
Remember we are all
connected…
 Of all the Internet
risks, cyberliability
exposes organizations
to new level of cyberdanger.
 e-documents are as
binding as those
written on company
letterhead.
 There is a trail of “eevidence”
Bottom Line…
 E-mail or web surfing that contain
offensive or company confidential
information can quickly result in:
– Legal fees (including costs to prepare,
litigate and settle cases)
– Depressed stock price
– Negative effect on brand, reputation and
organization confidence
Internet & Intranet Environment
 Combine the casual atmosphere of Internet
communications with this substantial
electronic paper trail, and it’s easy to see why
the use of “e-evidence” has become the new
evidence within the following categories of
litigation:
–
–
–
–
–
–
Discrimination
Harassment
Obscenity and pornography
Defamation and libel
Information leaks
Spam
Cyberliabilty Risks
Cyberliability Risk
– Discrimination
– Harassment
– Information Leaks
– Offensive Content
– Defamation and Libel
– Spam
 A complete listing of
cyberliability cases
and press coverage
could fill several
volumes.
 Lets chat about a
few recent examples
Discrimination
Discrimination
 A Federal court in New York has allowed a class
action discrimination suit based on racist e-mails. The
defendant is a large Wall Street brokerage firm and
the plaintiffs are seeking $60 million in damages.
(Owens and Hutton v. Morgan Stanley & Co., Inc.,
Case No 96 Civ 9747)
 Female warehouse employees alleged that a hostile
work environment was created in part by
inappropriate e-mail. Plaintiffs ask for $60 million in
damages; case settles out of court.
 (Harley v. McCoach, 928 F. Supp. 533, E.D. Pa.
1996)
Harassment
Harassment
 International Microcomputer Software pays a former
employee $105,000 after she received sexually
harassing messages on the firm’s electronic bulletin
board, even though the company reported the
incident to authorities and launched an internal
investigation. (Staff Writer, CNET News.com, April
14, 1999)
 Chevron settles sexual harassment lawsuit for $2.2
million over e-mail postings such as: “25 reasons why
beer is better than women.”
 (Jerry Adler, Newsweek, “When E-mail Bites Back,”
November 23, 1998)
Information Leaks
Information Leaks
 The Justice Department’s anti-trust lawsuit against
Microsoft Inc. is based in large part on internal e-mail
messages about efforts to insert a bug into Microsoft
products to disable competitor’s products. (Wall
Street Journal, John R. Wilke, August 27, 1998)
 The defense contractor Raytheon sued 21 “John
Doe” employees for posting company confidential
information on the Internet. Two workers have since
been identified and have elected to resign. (Staff
Writer, CNET News.com, April 6, 1999, 1:30 p.m. PT)
Information Leaks
 The restaurant chain Shoney’s is
demanding that Yahoo reveal the
identity of 100 people who posted
confidential information concerning
restaurant closings and an alleged
pending bankruptcy filing on message
boards. (Staff Writer, CNET News.com,
April 12, 1999, 5:00 a.m. PT)
Offensive Content
Offensive Content
 The New York Times dismissed 23 employees at an
administrative center for violating the company’s email policy regarding “offensive or disruptive
messages, including photographs, graphics and
audio materials.” (Staff writer, NYTimes, December
1, 1999)
 The Xerox Corp. fired approximately 40 people for
viewing porno-graphic sites at work, most managers,
directors, and exec-officers (Richard Mullins,
Rochester Democrat and Chronicle, October 7, 1999)
Offensive Content
 At least six employees of the US Navy
Naval Supply Systems Command
(NAVSUP) have been, or are expected
to be suspended for circulating
“inappropriate, adult humor material” in
e-mails. Another 500 were reported
disciplined. (Staff writer, The Sentinel,
December 4, 1999)
Defamation and Libel
Defamation and Libel
 Wade Cook Financial sues members of a
bulletin board for libelous statements about
the company. (Liz Enbysk, ZDNET
Anchordesk, March 10, 1999)
 An insurance company is sued for circulating
an e-mail that accused an employee of using
her corporate credit card to defraud the
company. (Meloff v. New York Life Insurance
Co., 51 F.3d 372, 2nd Cir. 1992)
Spam
Spam
 GTE blamed spam for the shutdown of
one of its mail servers. Several
individuals also complained over the
year that they were personally shut
down after spammers used the
individual’s e-mail addresses as forged
return addresses. (John C. Dvorak, PC
Magazine, March 24, 1998)
Monitoring Internet
Usage: Employer Rights
and Responsibilities
Monitoring Internet Usage: Employer
Rights and Responsibilities
 Employer’s Right to Monitor
– Most experts agree that an employer has
both the right and the responsibility to
manage employee Internet use, but…
– There are no laws on the books that can
be interpreted as prohibiting an employer
from watching what its employees do on
the Internet.
EPCA
 The Electronic Communications Privacy Act
(ECPA) generally prevents employers from
monitoring personal communications, such as
private phone calls, unless there is reason to
believe that a crime has occurred or certain
other exceptions. However, the ECPA does
support an employer’s right to monitor stored
electronic communications, such as voicemail
and e-mail messages in order to protect its
business, rights or property.
What can and cannot be done…
 What’s an employer to
do?
 Where do we start?
 What are our rights as
employers?
 What does the law
say?
 Can I really be
charged with any of
this?
Policies/Procedures/Practices
 Written Policy
– There is no legislation that requires employers
to require a written policy before monitoring email and web usage. However, having each
employee read and sign your Internet Usage
Policy is an extra step that the courts have
found to reinforce the employer’s rights:
• After being terminated for inappropriate emails, two employees later filed a lawsuit for
violation of privacy, which was then dismissed
by the California Court of Appeals.
 Written Policy (cont.)
• The court concluded that the employees have
no reasonable expectation of privacy in their email messages. The employees had
acknowledged and agreed to the employer’s
policies that stated that the use of company
computers was for business purposes only.
(Bourke v. Nissan Motor Corp., No YC-003979,
Cal. Ct. App., June 1993)
S.A.T.E.
S.A.T.E.
 Security Awareness, Training, and
Education
– Learning Continuum
• Awareness = what
• Training = how
• Education = why
– Continuous
– Upgrade & Update
– Test and Measure
Management Support
Management Support
 Ask for the policies and read them!
 Talk & Listen to your InfoSec Officers!
 Participate in meetings/discussions.
 Write memos on InfoSec matters.
 Test & Measure all employees.
 Financially support the InfoSec efforts…
 SPA-Security Posture Assessment (see
me…)
Oh, think about this…
Things that make you go
hmmm…
 While you were here listening to me, one of
your employees may be sending an email
that could eventually cost your
company/organization several millions
dollars.
 Another may be surfing the Web for personal
information, or exploring the latest offerings in
cyberpornraphy.
 Still others are spending valuable time
wading through – or following up on –
volumes of junk email.
Things that make you go
hmmm…
 And while you’re wondering is all of this
is going on, who is protecting you
corporations/organizations secrets
(sensitive material)? In the past year
alone, according to the International
Computer Security Association (ICSA),
employee security breaches increased
by 35% and the leak of proprietary
information increased by 58%.
E-Commerce, E-Business, EMail, EEEEEEEEE…
Doesn’t sound possible? Think
again. The “E” in email originally
stood for “electronic.” Now it could
mean “expensive.”
Does your Internet Usage Policy give specific guidelines for the
following corporate communications:
Web surfing, E-mail, FTP, Newsgroups, Chat rooms, Spam?
Do you periodically generate usage reports to get feedback on
compliance?
Weekly, Monthly, Bimonthly, Not at all
Have you posted your policy and given each employee a copy?
Yes or No
Have you vigorously enforced and promoted your policy?
Yes or No
Have you been consistent in your treatment of policy offenders?
Yes or No
Have you periodically updated your policy to reflect current
technology and business trends?
Annually, Semi-annually, Not at all
If you answered “no” to any of the questions above, your
policy is in need of an update.
And Finally...
E3 + E3
E3 + E3
Educate
 Establish a good
Enlighten
policy & program
 Educate based on
the policy
 Enforce the
policies
Empower
Q&A
USC - Center for Information
Assurance Studies

The security of networked systems of
computers is essential for information
security. USC – Center for Information
Assurance Studies is the home to what
many security professionals in the
computer and network security
community consider the “Top Gun”
institution for IA. Combining research
and studies in Information Assurance (IA)
and Information Security (InfoSec) since
its inception. The USC - Center for
Information Assurance Studies
encourages an open-environment in
which students, faculty, staff, and other
agencies work together to understand the
information assurance requirements of a
university setting as well as national
infrastructure protection. Addressing the
challenges presented by those
requirements through education and
research