SlideShare uma empresa Scribd logo
1 de 44
Baixar para ler offline
GROWING TREND OF FINDING
REGULATORY AND TORT LIABILITY
FOR CYBERSECURITY BREACHES
Mark W. Ishman, Esq.

Masters in Law in Information Technology and Privacy Law
www.IshmanLaw.com | www.IshmanLegal.com
(919) 468-3266 | mishman@ishmanlaw.com
WHILE THERE IS A WIDE RANGE OF EXPERIENCE AND
EXPERTISE EXHIBITED BY COMPUTER SOFTWARE
DESIGNERS AND PROGRAMMERS, THOSE WHO DEVELOP
OPERATING SYSTEMS AND SECURITY SOFTWARE ARE
GENERALLY AT THE HIGHER END OF THE PROFESSION
IN TERMS OF EDUCATION, TRAINING, AND
EXPERIENCE.

Do I have your attention?

IT IS CERTAINLY POSSIBLE TO HOLD PROGRAMMERS
WHO WRITE CRITICAL SOFTWARE, SUCH AS
OPERATING SYSTEMS AND SECURITY SOFTWARE, TO A
HIGHER STANDARD THAN THOSE WHO WRITE LESS
CRITICAL CODE SUCH AS WORD PROCESSORS AND
VIDEOGAMES.
Largest Known Data Breach –
160M Credit Cards – July 2013
 Five men from Russia and Ukraine have allegedly stolen over 160
Million Credit Cards from 2005 to 2012, and sold them to others
in the underground market which where then used throughout
the world for ATM cash withdrawals and purchases
 The defendants allegedly sought corporate victims engaged in
financial transactions, retailers that received and transmitted
financial data and other institutions with information they could
exploit for profit.
 The defendants are charged with hacking and malware attacks
upon NASDAQ, 7Eleven, Carrefour, JCP, Hannaford, Heartland, Wet
Seal, Commidea, Dexia, JetBlue, Dow Jones, Euronet, Visa
Jordan, Global Payment, Diners Singapore and Ingenicard
 It is not alleged that the NASDAQ hack affected its trading
platform.
 http://www.justice.gov/usao/nj/Press/files/Drinkman,%20Vladi
mir%20et%20al.%20Indictment%20News%20Release.html
HIPAA Breach Compromises over 4
Million People – August 2013
 Theft of Four UNENCRYPTED LAPTOPS compromises over 4
Million patients‘ medical files that contain their personal
identifiable information (Name, SSN, Address, Phone Numbers
and Email Addresses), Medicare data, medical
diagnoses, insurance and payment information.
 2nd Largest HIPAA data breach to date (largest to date is just
under 5 Million patient records compromised)
 Just last month, Theft of Two UNENCRYPTED LAPTOPS
compromises over 729,000 patients‘ medical files – October
2013
 11th Largest HIPAA data breach to date
 To date, HIPAA Feds have collected over $16 Million from 16
organizations who have been found guilty of violating HIPAA
 Data from the Department of Health and Human Services.
Publicly Traded Companies’ Data
Breaches
 Sony paid $171 Million in cleanup from its April 2011
PlayStation Network breach;
 Heartland Payment systems paid an estimated $140
million in its lost
 Email services firm Epsilon paid an estimated $225
Million in total costs as a result of its data breach

 PUBLICLY TRADED COMPANIES RETAIN OUTSIDE
IT PROFESSIONAL CONSULTANTS FOR THEIR
RECOMMENDATIONS AND FOR THEIR SPECIALIZED
SEUCIRTY SERVICES BOTH FOR THE RETAINED SKILL SET
AS WELL AS FOR LIABILITY REASONS
Federal Trade Commission Complaints
 FTC has implemented initiatives to police computer
data breaches
 FTC Complaints are REactive and NOT PROactive –
FTC complaints are all after the fact, rather than
implementing rules and providing guidance
 Most companies settle with the FTC and pay a fine
 If you defend against a FTC complaint, expect LARGE
litigation expenses, for example:
 Large corporation Wyndham has just responded to a FTC
complaint and has spent $5 Million already on discovery
 Small corporation LabMD (25-peson company) has just
responded to the FTC complaint and has spent $500,000 on
discovery
How is there liability to IT
security professionals for insecure
software?
Top Ten List of Security Certifications???
10. Vendor Certifications - CISCO and Microsoft specific
certifications top the list.
9. CCE-Certified Computer Examiner
8. CPP—Certified Protection Professional
7. CBCP-Certified Business Continuity Professional
6. CEH-Certified Ethical Hacker
5. CSFA-CyberSecurity Forensic Analyst
4. CISA-Certified Information Systems Auditor
3. GIAC-The Global Information Assurance Certification
2. CISM-Certified Information Security Manager
1. CISSP—Certified Information System Security Professional
What information security standards exist? Let’s
look at the law…
• Global

• State Laws -- Data security and
breach notification laws

• IS0 17799, 27001

• Industry

• Basel II, EU Safe Harbors

• Payment Card Industry –
VISA, CISP, Mastercard SDP

• Country Standards

• Healthcare – HIPAA

• National – NIST & OECD

• Finance – Gramm Leach
Bliley, SEC, NASD, FFIEC,
OTS

• Finance – CoBIT & BITS

• Energy and Utility – NERC
1300, FERC, (NEI 04-04)

• Federal Government

• E-Commerce – FTC Ecommerce Req‘s

• DOD - Rainbow Series, NIST
• NSA
• Presidential Directives
What is the legal and business impact of
breached information security?
 Contractual Violations

 Violation of state, federal and international laws
 Business interruption – income loss, extra expense
 Data asset loss, corruption, value reduction
 Lost ROI on technology and marketing investments
 Reputation losses & loss of valuation
 Extortion and other crisis Management costs
What Laws Govern Insecure Software?
 HIPAA, Sarbanes-Oxley Act, Gramm-Leach-Bliley Act and Other Acts and
their Potential Impact on Liability to Software Developers

 Article 2 of the U.C.C.
 Computer hardware and packaged software, as movable objects, are
clearly goods and thus subject to the provisions of Article 2 – and for our
conversation, Article 2 protection from Tort-related causes of action
 Transactions involving primarily personal services, such as those for
customization, expertise, maintenance, training, and support, are often
held not to be goods, and thus NOT to fall within the U.C.C.
 What about specialized ―secure‖ computer software? Does that fall under
Article 2 or customized services?

 Negligence
 Product Liability

 Professional Malpractice Liability
 Federal Trade Commission Complaint for unfair and deceptive acts or
practices for deceptive claims that companies were safeguarding
customer data appropriately
Health Insurance Portability and
Accountability Act (HIPAA)
 HIPAA makes security a necessary prerequisite to
providing services to the health industry, including the
provision of any financial services.
 Breach Notification Rules





Notify affected individuals
Notify Business Associates
Notify HHS (Federal Agency)
Audits and Fines
 Penalty Amount: $100 to $50,000 or more per
violation, repeat violations are $1,500,000, with a Calendar
Year Cap of $1,500,000
Sarbanes-Oxley Act (SOX)
 SOX requires that the CEO sign filings with the SEC that certify that the
company‘s computer systems are secure and that the company
maintains, in all material respects, effective internal controls over its
financial reporting.
 If he‘s wrong, he faces potential prosecution for violations of SOX, with
 personal fines up to one to five million dollars and/or
 imprisonment for up to ten to twenty years

 If the company asks its software vendors, whose products the company
relies upon to provide that security and effective control, to certify that
their systems meet the SOX‘s requirements, the vendors
 politely decline, mumbling something about how all software has bugs
and the company is not willing to assume the risk that the customer‘s
system may be compromised by hackers, cyberterrorists, or perhaps just a
disgruntled ex-employee.

 Thus far the SEC has not taken action against any corporate executives
who have signed such an undertaking that later turned out to be untrue.
 We have not yet had a major accounting scandal arising from software
vulnerabilities
Gramm-Leach-Bliley Act (GLB)
 GLB is a comprehensive privacy and security law that financial
companies must adhere to.

 GLB covers both information handling practices and security
practices for ―nonpublic personal information‖ (NPI).
 GLB‘s security requirements:
 You shall develop, implement, and maintain a comprehensive
information security program that is written in one
or more
readily accessible parts and contains administrative, technical, and
physical safeguards that are appropriate to your size and
complexity, the nature and scope of your activities, and the
sensitivity of any customer information at issue (emphasis added).
 Also requires:
1. Exercise appropriate due diligence in selecting your service
providers;
2. Require your service providers by contract to implement
appropriate measures designed to meet the objectives of these
Guidelines; and
3. Where indicated by your risk assessment, monitor your service
providers to confirm that they have satisfied their obligations as
required by paragraph D.2. As part of this monitoring, you
Article 2 of the UCC
 Most bundled software (off-the-self or custom) fall
within Article 2 of the UCC
 a Good Thing for IT Professionals because you can use the
UCC to limit your liability, e.g., disclaimer of express and
implied warranties, limitation of liabilities and remedies

 Standalone (unbundled), customized and expertise
(security) software are determined on a case-by-case
basis
 Plaintiff attorneys will allege that the software vendor is
the best position to take action to prevent security
breaches with standalone customized software.
 Plaintiff attorneys will allege that software vendors were
negligent in the production or design of the computer
security systems, e.g., coding of the security and
encryption software
Negligence Claim – 5 Elements
(1)

Software vendor owed a DUTY to the Plaintiff

 What type of Duties?
 Duty to design and develop secure software
 Duty to instruct the licensee on how to use its products safely
 Duty to warn its licensees of the hidden dangers that the designed
software may contain

 Duties exist in the law is largely a policy-based determination
 Foreseeability of harm of security breach
 Degree of certainty between the vulnerabilities and harm
 Closeness of the connection between lax Internet security practices
and the injury suffered
 Policy of preventing future intrusions
 Burden of the IT industry
 Consequences to the public of imposing a duty to maintain adequate
security
 Availability, costs and prevalence of security solutions
 Insurance
Negligence Claim – 5 Elements
(2)
Duty

Standard of Care Imposed on Software Vendor by that

 Generally this means what the reasonably prudent person
would do under the circumstance
 In the IT industry, this standard of care is evolving
rapidly, and methodologies, procedures, and practices have
been accepted by the industry as risks are exposed
 The appropriate level of care to be followed in custom
software will vary depending on the nature and intensity of
the perceived risk resulting from an error
 Thus, software developer‘s duty under negligence law is not
perfection, but only reasonableness, i.e., standard of care of
a reasonable developer of security-related software under
like circumstances – employing industry‘s best practices
security standards
Negligence Claim – 5 Elements
(3)

Breach of Duty

 With secure software, there is no accepted tests that
exist currently for determining when a software
developer has breached its duty
Negligence Claim – 5 Elements
 (4)

Causation

 Two-prong test:
 Software developer‘s negligence must have been the causein-fact of the plaintiff‘s injuries (but for or substantial
factor);
 Software developer‘s conduct must have been the
proximate (legal) cause of the injury, i.e., a foreseeable
result of the negligent act
Negligence Claim – 5 Elements
(5)

Damages

 Plaintiffs are entitled to recover ALL damages, e.g., personal
injuries, property damages, economic loses
 Some courts do not allow recovery of economic
losses, e.g., defamation
 Some courts do not allow damages for data entered into the
computer system by a customer because that data is not part of the
software
 Until recently, for security breach cases, the plaintiffs have been unable
to establish the ―damages‖ requirement for negligence.
 In essence, courts have ruled that a consumer taking pre-emptive
actions to protect his or her credit has not suffered compensatory
damages.
 Even if a consumer can show that they suffered identity theft they
still have to establish that the security breach was the cause of such
identity theft (in theory the consumer‘s personal information could
have been obtained from a multitude of sources).
 Companies face the prospect of expensive attorney fees to defend these
actions, and if the plaintiffs‘ bar breaks through they could face
significant liability.
Negligence Applied to Security
Breach Liability
 Traditionally, security breaches are criminal acts of third
parties, and a software vendor cannot be liable for third
party criminal conduct unless it is determined that such
criminal conduct was highly foreseeable.
 With hundreds of thousands of new cybersecurity threats
created every day, isn‘t third party criminal acts of hacking
highly foreseeable?
 Duty, Standard of Reasonable Care, Breach of Duty, Causation
(foreseeability) and damages

 California real estate escrow company has filed a
NEGLIGENCE lawsuit against its former bank for the loss of
$465,000 in an online banking hack last year
http://krebsonsecurity.com/2011/07/
Negligence Cases
Invacare Corp. v. Sperry Corp., (N.D. Ohio 1984)

 Federal district court refused to dismiss a negligence claim
alleging that a computer seller was negligent for
recommending its program and services to the buyer when ―it
knew, or in the exercise of ordinary care, it should have
known, that . . . the programs and related data processing
products were inadequate,‖ and because it advertised to the
buyer when it knew or should have known that ―the programs
furnished could not satisfy [the buyer‘s] requirements.‖
 The court held that personnel in the computer industry, like
personnel in other trades
(doctors, accountants, lawyers), should be held to the
ordinary standard of care for their trade.
Negligence Case
Claridge v. Rockyou, Inc. (N.D. Cal. 2011)
 Rockyou is a publisher and developer of online services and applications
for use with social networking sites such as Facebook and MySpace

 Rockyou applications allow its users to share photographs and write
special text on a friend‘s page, or play game with other users.
 Customers are required to sign up to use Rockyou applications by
submitting personal identifiable information to it that Rockyou stores in
a database

 Plaintiff alleges that Rockyou promised through its website to safeguard
its personal identifiable information through commercially reasonable
measures …. that did not include any form of encryption
 Plaintiff‘s personal identifiable information was hacked and available
online

 Federal district court held that plaintiff‘s negligence claim could
proceed against Rockyou despite not alleging specific damages other
than unauthorized and public disclosure of its personal identifiable
information
Negligence Case
Patco Constr. Co. Inc. v. People‘s United Bank (1st Cir. July 2012)
 Hackers installed malware on Patco‘s computers and stole its banking user name
and password; and used Patco‘s banking credentials to transfer money offshore
from Patco‘s account (common hacking facts)
 Since the hackers were attempting a large offshore transfer that was so far out of
the normal conduct by Patco, it caused an alert to flag this transaction
 The bank manager decided that since the password/user name combination and
accompanying answers to certain challenge questions were sufficient to verify the
transaction, the bank manager ignored the alter and all the money went offshore
 The Federal Appellate Court held that the Bank‘s reliance on password
authentication and its decision to ignore certain transaction-based flags that
highlighted the unusually large offshore transfer was not necessarily a good
commercial practice.
 Court found that the Bank‘s reliance on answers to challenge questions that the
hackers provided was not a good security practice.
 Court found that the Bank‘s contract with Patco incorporated UCC requirement
that the bank act in a commercially reasonable way, and found that the Bank‘s
protections that it implemented were unreasonable
 Afterwards, this case settled for $345,000 (the amount transferred) and $45,000 in
interest.
Negligence Case
Lone Star Bank, et. al v. Heartland Payment Systems (5th Cir.
September 2013)
 Heartland had a contract with acquiring banks (plaintiffs) to
provide credit card processing services.
 Heartland was hacked in 2009 and lost the data from more than
160 million credit card accounts.
 Because of the interlocking web of financial relationships with
credit card transactions, Heartland was not the only bank
affected by the hacking incident
 Damages included losses from fraudulent use of the stolen
data, cost of replacing credit cards and costs of providing their
customers with credit monitoring services
 Federal Appellate Court held that the issuing banks had a valid
negligence claim against Heartland for its cybersecurity failures
and that, if proven, they could recover their consequential
damages from Heartland
Today‘s recent headlines
 Negligence for theft of data from UNENCRYPTED LAPTOPS

 Hackers breaks in at a US based company that brokers
reservations for limousine and Town Car services nationwide
that resulted in personal and financial information of more
that 850,000 well to do customers, such as Fortune 500
CEOs, lawmakers and celebrities
http://krebsonsecurity.com/2013/11/hackers-take-limoservice-firm-for-a-ride/
 Negligence for theft of data from storing data on servers
where it is known that hackers use to stash their stolen data
Professional Malpractice Law
 Professional liability has generally been applied to those who
by virtue of specific training and licensing are deemed to
have a level of skills higher than that of non-professionals.
 To date, courts have been reluctant to hold computer
designers or programmers to the higher standard of
professionals due to the lack of established educational
standards or regulations governing the performance of
software programmers and developers, and because they are
not licensed as professionals … that is changing
 Many software developers have received extensive training in
the use of certain programming and testing
techniques, passed rigorous tests to become ―certified,‖
reached levels of expertise not held by general programmers.
 While this is not identical to the licensing requirements of
state licensing boards such as state bar associations or
medical boards, it may be sufficient to justify holding these
certified developers to a higher, professional
standard, particularly where their certifications relate to
secure software development.
Top Ten List of Security Certifications???
10. Vendor Certifications - CISCO and Microsoft specific
certifications top the list.
9. CCE-Certified Computer Examiner
8. CPP—Certified Protection Professional
7. CBCP-Certified Business Continuity Professional
6. CEH-Certified Ethical Hacker
5. CSFA-CyberSecurity Forensic Analyst
4. CISA-Certified Information Systems Auditor
3. GIAC-The Global Information Assurance Certification
2. CISM-Certified Information Security Manager
1. CISSP—Certified Information System Security Professional
Professional Malpractice Case
Diversified Graphics, Ltd. v. Groves (8th Cir. 1989)
 Plaintiff hired a large accounting firm to help it locate a
turnkey computer system.
 When the chosen system proved inadequate for the
company‘s needs, the company sued.
 The court ruled that the accounting firm should be held to
the American Institute of Certified Public Accountants‘
Management Advisory Service Practice Standards, which the
firm had incorporated into its guidelines for internal use.
 While the court refused to acknowledge a cause of action for
computer malpractice, by holding the accounting firm to the
AICPA standards, it achieved essentially the same result.
Professional Malpractice Case
Data Processing Services, Inc. v. L.H. Smith Oil Corp. (Ind. Ct.
App. 1986)
 Plaintiff claimed that the defendant was negligent in
designing an accounting and data processing software system.

 The state appellate court stated in dictum that ―[t]hose who
hold themselves out to the world as possessing skill and
qualifications in their respective trades or professions
impliedly represent they possess the skill and will exhibit the
diligence ordinarily possessed by well informed members of
the trade or profession.‖
 The court concluded that ―[t]he situation here is more
analogous to a client seeking a lawyer‘s advice or a patient
seeking medical treatment for a particular ailment than it is
to a customer buying seed corn, soap, or cam shafts.
Product Liability for Insecure Software


Product liability law is imposed on the theory that the costs of damaging events due to
defectively dangerous products can best be borne by the enterprisers who make and sell
these products.



With insecure software, an examination of whether the software insecurity is due to a
design defect or a manufacturing defect



Software development generally goes through a number of phases before reaching the
user, such as (i) the design phase, (ii) the coding phase, (iii) the testing phase, and (iv)
the replication and distribution phase



defect introduced into the product during the design phase would be deemed a design
defect.



defect introduced into the product at the replication and distribution phase would be
deemed a manufacturing defect.



Coding phase??? Grey Area



Vendors would generally argue that everything before the replication and distribution
phase is part of the product design process, hence, a negligence standard should apply
to insecure software, except in the rare case where the defect occurred in the
replication process.



Licensees would argue that the design defect standard should apply only to defects
introduced in the design phase, and that everything thereafter should be deemed part
of the manufacturing phase—and subject to a strict liability standard.



No cases on point, but that is not say that they are not on their way …
Federal Trade Commission Complaints
 FTC has implemented initiatives to police computer
data breaches
 FTC Complaints are REactive and NOT PROactive –
FTC complaints are all after the fact, rather than
implementing rules and providing guidance
 Most companies settle with the FTC and pay a fine
 If you defend against a FTC complaint, expect LARGE
litigation expenses, for example:
 Large corporation Wyndham has just responded to a FTC
complaint and has spent $5 Million already on discovery
 Small corporation LabMD (25-peson company) has just
responded to the FTC complaint and has spent $500,000 on
discovery
Federal Trade Commission
TRENDNET, Inc. Case (September
2013)
 TRENDNET alleged failed to provide reasonable security ―to
prevent unauthorized access to sensitive information‖
 FTC Consent Order required TRENDNET to engage in
 "secure software, development, and testing" risk assessments
as well as "reasonable and appropriate software security
testing techniques‖
 Conduct an initial, and thereafter biennial, assessments and
reports – for Twenty years – performed by a third-party CSSLP
or CISSP or ―a similarly qualified person or organization; or a
similarly qualified person or organization approved by the
Associate Director for Enforcement, Bureau of Consumer
Protection, Federal Trade Commission….‖
Federal Trade Commission
In re HTC America, Inc. Case
(February 2013)
 FTC complaint alleged that HTC:
 failed to ―employ reasonable and appropriate security in
the design and customization of the software on its mobile
devices.‖
 failed to (1) implement an ―adequate program to assess
the security of products it shipped to consumers,‖ (2)
provide ―adequate privacy and security guidance or
training for its engineering staff,‖ (3) ―conduct . . .
reviews, or tests to identify potential security
vulnerabilities in its mobile devices,‖ and (4) ―implement a
process for receiving and addressing security vulnerability
reports from third-party researchers.‖
Federal Trade Commission
 The FTC has begun taking action against software users whose
systems were breached by hackers and third party confidential
information was disclosed.
 These recent FTC decisions suggest a new willingness by the FTC
to hold software makers liable for
 failing to design security into their products from the start and
 to test and discover security vulnerabilities before releasing the
product into the market for advanced beta testing by paying
customers who not only thereby pay for the "privilege" of testing the
vendor‘s product (saving the vendor enormous R&D costs) but who
previously had little or no remedy beyond a replacement of the
product (if that).

 Most victims still do not receive real recourses from FTC actions
because the FTC doesn't even investigate much less act in all in
most cases and limits on private recourse and practical barriers
to enforcement obstruct private remedies.
 Plaintiffs attorneys will take over and advance negligence, strict
product liability and professional malpractice causes of action
against software developers
Counterhacking Legal???
 Computer Fraud and Abuse Act
 ‗exceeds authorized access‘ means to access a computer with
authorization and to use such access to obtain or alter information in
the computer that the accesser is not entitled so to obtain or alter.‖
 Put another way, you exceed authorized access if you obtain or alter
information you‘re not entitled to obtain or alter.

 Who controls the computer? The data owner or the computer
owner?

 Are you entitled to take back your stolen data from a
computer, but not sell the computer at a pawn shop?
 So can Disney hack into everyone‘s computers in pursuit of
pirated videos?
 Can future amendments recognize counterhacking right to gather
evidence but not to harm innocent third parties? Will there be
distinquishment between 99-cent music files and competitive
business data?
What Can You Do To Minimize Your
Risks to Liability?
 Always enter into written agreements that specifically addresses
express and implied warranties and limitation of liabilities
 Always have your written agreements state what law controls
the agreement. Be sure to make it a state that does not have
any cases where it has found software to be a service and the
UCC not applicable, or cases finding tort liability for insure
software
 Always use Beta Agreements or Beta Language when launching
new or customized software, as software is always launched with
glitches requiring patches/maintenance issues
 Always have your written agreements state who is responsible
for maintenance services and whether such service requires
additional fees
What Can You Do To Minimize Your
Risks to Liability?
 Continuing Education is always Ongoing

 Audits – work with a security team to identify security issues
and determine what else can done (e.g., encryption,
passwords, additional firewalls, etc.)
 ―shall act with the care of an ordinary prudent person or
agency in like position would exercise under similar
circumstances‖

 Policies & Procedures: Create an security incident response
and notification Plan
 Response team, contact police/local FBI, and document
response
 Consider great malpractice and cyber-insurance coverage
(typically covers notification costs) and utilizing it when in
question
Procedure:
What Constitutes a Breach?
 Was unencrypted and unredacted personal information
and/or protected health information accessed?
 Personal Information means the first name or first initial
and last name linked to one or more of the following data
elements of a resident of this state:
 SSN
 Driver License Number
 Account number, credit card/debit card number, in
combination with security code/access code/password
Procedure:
Is Notice Required?
 Material Breach?

 Would access be likely to cause substantial loss, or
injury, or result in identity theft?
 How many to notify?

 Cost?
 Duty to notify as expeditiously as practical without
undue delay
Policy:
What Must the Notice Include?
 Describe the security breach (date/time)

 Describe the type of personal information that is the subject of
unauthorized access/use
 Describe what you have done to protect data from further
security beaches
 Include a telephone number where a notice recipient may obtain
assistance or additional information
 Remind recipients in the Notice of the need to remain vigilant
for incidents of fraud and identity theft
 MAY have to notify consumer reporting agencies
 By mail, telephone, electronic means?
So What? Why do this?
 State AG fines for failure to provide notice
($250/person), up to $750,000
 FTC fines - $1,500,000
 Civil Remedy under state/federal law






State trade practices statutes
Breach of contract (terms/privacy policy)
Breach of implied covenant of good faith and fair dealing
Breach of implied contract
Negligence/negligence per se

 Ruined Reputation
Policy and Procedure
Practical Tips
 If you have experienced a data security breach, it may
have to comply with more than one state‘s laws if it has
customers that reside there
 Where health information is stored, requirements for
notification are far greater

 Know that class actions are out there, and increasing

 http://www.informa0onweek.com/security/client/
linkedin‐security-breach‐triggers‐mill/240002407
RESOURCES
www.IshmanLaw.com
(919) 468-3266
mishman@ishmanlaw.com


State Laws (except in AL, KY, NM, SD)


http://www.ncsl.org/issues-research/telecom/security‐notification‐laws.aspx



Many states of identity theft statutes that may be applicable when there is a security
breach issue



Federal law proposals on data breach notification requirements, but nothing enacted
YET



International




Federal Trade Commission




– http://www.ftc.gov/bcp/edu/microsites/idtheft/business/data-breach.html

Biggest Data Breaches in 2013




Canada‘s Personal Information Protection and Electronic Documents Act (PIPEDA)

http://www.crn.com/slide-shows/security/240159149/the-10-biggest-data-breaches-of2013-so-far.htm

10 Biggest HIPAA Data Breaches in the U.S.


http://www.healthcareitnews.com/slideshow/slideshow-top-10-biggest-hipaa-breachesunited-states

Mais conteúdo relacionado

Mais procurados

Data Security and Regulatory Compliance
Data Security and Regulatory ComplianceData Security and Regulatory Compliance
Data Security and Regulatory ComplianceLifeline Data Centers
 
CMW Cyber Liability Presentation
CMW Cyber Liability PresentationCMW Cyber Liability Presentation
CMW Cyber Liability PresentationSean Graham
 
2016 02-23 Is it time for a Security and Compliance Assessment?
2016 02-23 Is it time for a Security and Compliance Assessment?2016 02-23 Is it time for a Security and Compliance Assessment?
2016 02-23 Is it time for a Security and Compliance Assessment?Raffa Learning Community
 
COMPUTER LAW, INVESTIGATION AND ETHICS DOMAIN
COMPUTER LAW, INVESTIGATION AND ETHICS DOMAINCOMPUTER LAW, INVESTIGATION AND ETHICS DOMAIN
COMPUTER LAW, INVESTIGATION AND ETHICS DOMAINamiable_indian
 
Cybersecurity Law and Risk Management
Cybersecurity Law and Risk ManagementCybersecurity Law and Risk Management
Cybersecurity Law and Risk ManagementKeelan Stewart
 
10 Reasons to buy Cyber Liability Insurance
10 Reasons to buy Cyber Liability Insurance 10 Reasons to buy Cyber Liability Insurance
10 Reasons to buy Cyber Liability Insurance Hubbard Insurance Group
 
IS4799 Final Project (1)
IS4799 Final Project (1)IS4799 Final Project (1)
IS4799 Final Project (1)Mark Milburn
 
20 New Trends and Developments in Computer and Internet Law
20 New Trends and Developments in Computer and Internet Law20 New Trends and Developments in Computer and Internet Law
20 New Trends and Developments in Computer and Internet LawKlemchuk LLP
 
Information Security and Data Breach Trends 2014-2015
Information Security and Data Breach Trends 2014-2015Information Security and Data Breach Trends 2014-2015
Information Security and Data Breach Trends 2014-2015Brian Levine
 
Five strategies for gdpr compliance
Five strategies for gdpr complianceFive strategies for gdpr compliance
Five strategies for gdpr compliancePeter Goldbrunner
 
2017-01-24 Introduction of PCI and HIPAA Compliance
2017-01-24 Introduction of PCI and HIPAA Compliance2017-01-24 Introduction of PCI and HIPAA Compliance
2017-01-24 Introduction of PCI and HIPAA ComplianceRaffa Learning Community
 
Data Security and Privacy Under The Compliance Spotlight April 2014
Data Security and Privacy Under The Compliance Spotlight April 2014Data Security and Privacy Under The Compliance Spotlight April 2014
Data Security and Privacy Under The Compliance Spotlight April 2014Adriana Sanford
 
Securité : Le rapport 2Q de la X-Force
Securité : Le rapport 2Q de la X-ForceSecurité : Le rapport 2Q de la X-Force
Securité : Le rapport 2Q de la X-ForcePatrick Bouillaud
 
Cyber Insurance
Cyber InsuranceCyber Insurance
Cyber InsuranceClubHack
 
2014 GRC Conference in West Palm Beach-Moderated by Sonia Luna
2014 GRC Conference in West Palm Beach-Moderated by Sonia Luna2014 GRC Conference in West Palm Beach-Moderated by Sonia Luna
2014 GRC Conference in West Palm Beach-Moderated by Sonia LunaAviva Spectrum™
 
Ci2 cyber insurance presentation
Ci2 cyber insurance presentationCi2 cyber insurance presentation
Ci2 cyber insurance presentationEthan S. Burger
 
Case for-secure-email-encryption
Case for-secure-email-encryptionCase for-secure-email-encryption
Case for-secure-email-encryptionNeoCertified
 
Protecting Accounting Firms and their Clients - Eric Vanderburg - JurInnov
Protecting Accounting Firms and their Clients - Eric Vanderburg - JurInnovProtecting Accounting Firms and their Clients - Eric Vanderburg - JurInnov
Protecting Accounting Firms and their Clients - Eric Vanderburg - JurInnovEric Vanderburg
 

Mais procurados (20)

Data Security and Regulatory Compliance
Data Security and Regulatory ComplianceData Security and Regulatory Compliance
Data Security and Regulatory Compliance
 
Cybersecurity in ME April 25 slides
Cybersecurity in ME April 25 slidesCybersecurity in ME April 25 slides
Cybersecurity in ME April 25 slides
 
CMW Cyber Liability Presentation
CMW Cyber Liability PresentationCMW Cyber Liability Presentation
CMW Cyber Liability Presentation
 
2016 02-23 Is it time for a Security and Compliance Assessment?
2016 02-23 Is it time for a Security and Compliance Assessment?2016 02-23 Is it time for a Security and Compliance Assessment?
2016 02-23 Is it time for a Security and Compliance Assessment?
 
COMPUTER LAW, INVESTIGATION AND ETHICS DOMAIN
COMPUTER LAW, INVESTIGATION AND ETHICS DOMAINCOMPUTER LAW, INVESTIGATION AND ETHICS DOMAIN
COMPUTER LAW, INVESTIGATION AND ETHICS DOMAIN
 
Cybersecurity Law and Risk Management
Cybersecurity Law and Risk ManagementCybersecurity Law and Risk Management
Cybersecurity Law and Risk Management
 
10 Reasons to buy Cyber Liability Insurance
10 Reasons to buy Cyber Liability Insurance 10 Reasons to buy Cyber Liability Insurance
10 Reasons to buy Cyber Liability Insurance
 
The Basics of Cyber Insurance
The Basics of Cyber InsuranceThe Basics of Cyber Insurance
The Basics of Cyber Insurance
 
IS4799 Final Project (1)
IS4799 Final Project (1)IS4799 Final Project (1)
IS4799 Final Project (1)
 
20 New Trends and Developments in Computer and Internet Law
20 New Trends and Developments in Computer and Internet Law20 New Trends and Developments in Computer and Internet Law
20 New Trends and Developments in Computer and Internet Law
 
Information Security and Data Breach Trends 2014-2015
Information Security and Data Breach Trends 2014-2015Information Security and Data Breach Trends 2014-2015
Information Security and Data Breach Trends 2014-2015
 
Five strategies for gdpr compliance
Five strategies for gdpr complianceFive strategies for gdpr compliance
Five strategies for gdpr compliance
 
2017-01-24 Introduction of PCI and HIPAA Compliance
2017-01-24 Introduction of PCI and HIPAA Compliance2017-01-24 Introduction of PCI and HIPAA Compliance
2017-01-24 Introduction of PCI and HIPAA Compliance
 
Data Security and Privacy Under The Compliance Spotlight April 2014
Data Security and Privacy Under The Compliance Spotlight April 2014Data Security and Privacy Under The Compliance Spotlight April 2014
Data Security and Privacy Under The Compliance Spotlight April 2014
 
Securité : Le rapport 2Q de la X-Force
Securité : Le rapport 2Q de la X-ForceSecurité : Le rapport 2Q de la X-Force
Securité : Le rapport 2Q de la X-Force
 
Cyber Insurance
Cyber InsuranceCyber Insurance
Cyber Insurance
 
2014 GRC Conference in West Palm Beach-Moderated by Sonia Luna
2014 GRC Conference in West Palm Beach-Moderated by Sonia Luna2014 GRC Conference in West Palm Beach-Moderated by Sonia Luna
2014 GRC Conference in West Palm Beach-Moderated by Sonia Luna
 
Ci2 cyber insurance presentation
Ci2 cyber insurance presentationCi2 cyber insurance presentation
Ci2 cyber insurance presentation
 
Case for-secure-email-encryption
Case for-secure-email-encryptionCase for-secure-email-encryption
Case for-secure-email-encryption
 
Protecting Accounting Firms and their Clients - Eric Vanderburg - JurInnov
Protecting Accounting Firms and their Clients - Eric Vanderburg - JurInnovProtecting Accounting Firms and their Clients - Eric Vanderburg - JurInnov
Protecting Accounting Firms and their Clients - Eric Vanderburg - JurInnov
 

Destaque

2014 - KSU - So You Want to Be in Cyber Security?
2014 - KSU - So You Want to Be in Cyber Security?2014 - KSU - So You Want to Be in Cyber Security?
2014 - KSU - So You Want to Be in Cyber Security?Phil Agcaoili
 
Business Torts and crimes
Business Torts and   crimesBusiness Torts and   crimes
Business Torts and crimesMansur Rashid
 
An introduction to the CISSP certification for self study groups
An introduction to the CISSP certification for self study groupsAn introduction to the CISSP certification for self study groups
An introduction to the CISSP certification for self study groupsTomas Ericsson
 
Cyber Security Career Advice
Cyber Security Career AdviceCyber Security Career Advice
Cyber Security Career AdviceDonald E. Hester
 
HOW TO EARN CISSP CERTIFICATION?
HOW TO EARN CISSP CERTIFICATION?HOW TO EARN CISSP CERTIFICATION?
HOW TO EARN CISSP CERTIFICATION?Terro White
 
How Training and Consulting Companies Can Position CISSP, CISM and CRISC
How Training and Consulting Companies Can Position CISSP, CISM and CRISCHow Training and Consulting Companies Can Position CISSP, CISM and CRISC
How Training and Consulting Companies Can Position CISSP, CISM and CRISCITpreneurs
 
Ch3 1 powerpoint Tort Law
Ch3 1 powerpoint Tort LawCh3 1 powerpoint Tort Law
Ch3 1 powerpoint Tort Lawgellenberger
 

Destaque (8)

Top 9 Certifications
Top 9 CertificationsTop 9 Certifications
Top 9 Certifications
 
2014 - KSU - So You Want to Be in Cyber Security?
2014 - KSU - So You Want to Be in Cyber Security?2014 - KSU - So You Want to Be in Cyber Security?
2014 - KSU - So You Want to Be in Cyber Security?
 
Business Torts and crimes
Business Torts and   crimesBusiness Torts and   crimes
Business Torts and crimes
 
An introduction to the CISSP certification for self study groups
An introduction to the CISSP certification for self study groupsAn introduction to the CISSP certification for self study groups
An introduction to the CISSP certification for self study groups
 
Cyber Security Career Advice
Cyber Security Career AdviceCyber Security Career Advice
Cyber Security Career Advice
 
HOW TO EARN CISSP CERTIFICATION?
HOW TO EARN CISSP CERTIFICATION?HOW TO EARN CISSP CERTIFICATION?
HOW TO EARN CISSP CERTIFICATION?
 
How Training and Consulting Companies Can Position CISSP, CISM and CRISC
How Training and Consulting Companies Can Position CISSP, CISM and CRISCHow Training and Consulting Companies Can Position CISSP, CISM and CRISC
How Training and Consulting Companies Can Position CISSP, CISM and CRISC
 
Ch3 1 powerpoint Tort Law
Ch3 1 powerpoint Tort LawCh3 1 powerpoint Tort Law
Ch3 1 powerpoint Tort Law
 

Semelhante a Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort Liability for Cyber Security Breaches- Mark Ishman regulatory and tort liability for cybersecurity breaches d1

Regulatory Standards Of The Federal Information Systems...
Regulatory Standards Of The Federal Information Systems...Regulatory Standards Of The Federal Information Systems...
Regulatory Standards Of The Federal Information Systems...Anne Marie
 
The Most Wonderful Time of the Year for Health-IT...NOT
The Most Wonderful Time of the Year for Health-IT...NOTThe Most Wonderful Time of the Year for Health-IT...NOT
The Most Wonderful Time of the Year for Health-IT...NOTCompliancy Group
 
Cybersecurity Brief: Understanding Risk, Legal Framework, & Insurance
Cybersecurity Brief: Understanding Risk, Legal Framework, & InsuranceCybersecurity Brief: Understanding Risk, Legal Framework, & Insurance
Cybersecurity Brief: Understanding Risk, Legal Framework, & InsuranceSecureDocs
 
Data Risks In A Digital Age
Data Risks In A Digital Age Data Risks In A Digital Age
Data Risks In A Digital Age padler01
 
The Protected Harbor 2022 Legal Services Data Breach Trend Report (2).pdf
The Protected Harbor 2022 Legal Services Data Breach Trend Report (2).pdfThe Protected Harbor 2022 Legal Services Data Breach Trend Report (2).pdf
The Protected Harbor 2022 Legal Services Data Breach Trend Report (2).pdfProtected Harbor
 
MBM Achieving HIPAA Compliance Whitepaper
MBM Achieving HIPAA Compliance WhitepaperMBM Achieving HIPAA Compliance Whitepaper
MBM Achieving HIPAA Compliance WhitepaperMBMeHealthCareSolutions
 
Powerpoint mack jackson
Powerpoint   mack jacksonPowerpoint   mack jackson
Powerpoint mack jacksonaiimnevada
 
Standards Rely Heavily On The Network Effect, Which Is The...
Standards Rely Heavily On The Network Effect, Which Is The...Standards Rely Heavily On The Network Effect, Which Is The...
Standards Rely Heavily On The Network Effect, Which Is The...Haley Johnson
 
Unit 6 Privacy and Data Protection 8 hr
Unit 6  Privacy and Data Protection 8 hrUnit 6  Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrTushar Rajput
 
Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...
Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...
Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...Don Grauel
 
Law firm information security overview focus on encryption by dave cunningh...
Law firm information security overview   focus on encryption by dave cunningh...Law firm information security overview   focus on encryption by dave cunningh...
Law firm information security overview focus on encryption by dave cunningh...David Cunningham
 
An Overview of the Major Compliance Requirements
An Overview of the Major Compliance RequirementsAn Overview of the Major Compliance Requirements
An Overview of the Major Compliance RequirementsDoubleHorn
 
Introduction to Data Security Breach Preparedness with Model Data Security Br...
Introduction to Data Security Breach Preparedness with Model Data Security Br...Introduction to Data Security Breach Preparedness with Model Data Security Br...
Introduction to Data Security Breach Preparedness with Model Data Security Br...- Mark - Fullbright
 
Maintain data privacy during software development
Maintain data privacy during software developmentMaintain data privacy during software development
Maintain data privacy during software developmentMuhammadArif823
 
Business Security Check Reducing Risks Your Computer Systems
Business Security Check Reducing Risks Your Computer SystemsBusiness Security Check Reducing Risks Your Computer Systems
Business Security Check Reducing Risks Your Computer Systems- Mark - Fullbright
 
Crossing the streams: How security professionals can leverage the NZ Privacy ...
Crossing the streams: How security professionals can leverage the NZ Privacy ...Crossing the streams: How security professionals can leverage the NZ Privacy ...
Crossing the streams: How security professionals can leverage the NZ Privacy ...Chris Hails
 

Semelhante a Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort Liability for Cyber Security Breaches- Mark Ishman regulatory and tort liability for cybersecurity breaches d1 (20)

Regulatory Standards Of The Federal Information Systems...
Regulatory Standards Of The Federal Information Systems...Regulatory Standards Of The Federal Information Systems...
Regulatory Standards Of The Federal Information Systems...
 
The Most Wonderful Time of the Year for Health-IT...NOT
The Most Wonderful Time of the Year for Health-IT...NOTThe Most Wonderful Time of the Year for Health-IT...NOT
The Most Wonderful Time of the Year for Health-IT...NOT
 
Cybersecurity Brief: Understanding Risk, Legal Framework, & Insurance
Cybersecurity Brief: Understanding Risk, Legal Framework, & InsuranceCybersecurity Brief: Understanding Risk, Legal Framework, & Insurance
Cybersecurity Brief: Understanding Risk, Legal Framework, & Insurance
 
Data Risks In A Digital Age
Data Risks In A Digital Age Data Risks In A Digital Age
Data Risks In A Digital Age
 
The Protected Harbor 2022 Legal Services Data Breach Trend Report (2).pdf
The Protected Harbor 2022 Legal Services Data Breach Trend Report (2).pdfThe Protected Harbor 2022 Legal Services Data Breach Trend Report (2).pdf
The Protected Harbor 2022 Legal Services Data Breach Trend Report (2).pdf
 
MBM Achieving HIPAA Compliance Whitepaper
MBM Achieving HIPAA Compliance WhitepaperMBM Achieving HIPAA Compliance Whitepaper
MBM Achieving HIPAA Compliance Whitepaper
 
Powerpoint mack jackson
Powerpoint   mack jacksonPowerpoint   mack jackson
Powerpoint mack jackson
 
Standards Rely Heavily On The Network Effect, Which Is The...
Standards Rely Heavily On The Network Effect, Which Is The...Standards Rely Heavily On The Network Effect, Which Is The...
Standards Rely Heavily On The Network Effect, Which Is The...
 
Data Privacy
Data PrivacyData Privacy
Data Privacy
 
Unit 6 Privacy and Data Protection 8 hr
Unit 6  Privacy and Data Protection 8 hrUnit 6  Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hr
 
Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...
Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...
Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...
 
Law firm information security overview focus on encryption by dave cunningh...
Law firm information security overview   focus on encryption by dave cunningh...Law firm information security overview   focus on encryption by dave cunningh...
Law firm information security overview focus on encryption by dave cunningh...
 
An Overview of the Major Compliance Requirements
An Overview of the Major Compliance RequirementsAn Overview of the Major Compliance Requirements
An Overview of the Major Compliance Requirements
 
Introduction to Data Security Breach Preparedness with Model Data Security Br...
Introduction to Data Security Breach Preparedness with Model Data Security Br...Introduction to Data Security Breach Preparedness with Model Data Security Br...
Introduction to Data Security Breach Preparedness with Model Data Security Br...
 
Maintain data privacy during software development
Maintain data privacy during software developmentMaintain data privacy during software development
Maintain data privacy during software development
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
 
IBM X-Force.PDF
IBM X-Force.PDFIBM X-Force.PDF
IBM X-Force.PDF
 
Business Security Check Reducing Risks Your Computer Systems
Business Security Check Reducing Risks Your Computer SystemsBusiness Security Check Reducing Risks Your Computer Systems
Business Security Check Reducing Risks Your Computer Systems
 
Data Privacy
Data PrivacyData Privacy
Data Privacy
 
Crossing the streams: How security professionals can leverage the NZ Privacy ...
Crossing the streams: How security professionals can leverage the NZ Privacy ...Crossing the streams: How security professionals can leverage the NZ Privacy ...
Crossing the streams: How security professionals can leverage the NZ Privacy ...
 

Mais de Raleigh ISSA

Raleigh issa chapter updates-slides-2014-9
Raleigh issa chapter updates-slides-2014-9Raleigh issa chapter updates-slides-2014-9
Raleigh issa chapter updates-slides-2014-9Raleigh ISSA
 
Raleigh issa chapter updates-slides-2014-8
Raleigh issa chapter updates-slides-2014-8Raleigh issa chapter updates-slides-2014-8
Raleigh issa chapter updates-slides-2014-8Raleigh ISSA
 
Raleigh issa chapter updates-slides-2014-7
Raleigh issa chapter updates-slides-2014-7Raleigh issa chapter updates-slides-2014-7
Raleigh issa chapter updates-slides-2014-7Raleigh ISSA
 
Raleigh issa chapter updates-slides-2014-6
Raleigh issa chapter updates-slides-2014-6Raleigh issa chapter updates-slides-2014-6
Raleigh issa chapter updates-slides-2014-6Raleigh ISSA
 
Managing privileged account security
Managing privileged account securityManaging privileged account security
Managing privileged account securityRaleigh ISSA
 
A10 issa d do s 5-2014
A10 issa d do s 5-2014A10 issa d do s 5-2014
A10 issa d do s 5-2014Raleigh ISSA
 
Raleigh issa chapter april meeting - managing a security & privacy governan...
Raleigh issa chapter   april meeting - managing a security & privacy governan...Raleigh issa chapter   april meeting - managing a security & privacy governan...
Raleigh issa chapter april meeting - managing a security & privacy governan...Raleigh ISSA
 
April 2014 Raleigh ISSA chapter update slides
April 2014 Raleigh ISSA chapter update slidesApril 2014 Raleigh ISSA chapter update slides
April 2014 Raleigh ISSA chapter update slidesRaleigh ISSA
 
March 2014 B2B - Breaking into info sec
March 2014 B2B - Breaking into info secMarch 2014 B2B - Breaking into info sec
March 2014 B2B - Breaking into info secRaleigh ISSA
 
March 2014 Raleigh ISSA chapter update slides
March 2014 Raleigh ISSA chapter update slidesMarch 2014 Raleigh ISSA chapter update slides
March 2014 Raleigh ISSA chapter update slidesRaleigh ISSA
 
February 2014 Raleigh Chapter ISSA Board update slides
February 2014 Raleigh Chapter ISSA Board update slidesFebruary 2014 Raleigh Chapter ISSA Board update slides
February 2014 Raleigh Chapter ISSA Board update slidesRaleigh ISSA
 
2014-01 Raleigh ISSA Chapter Updates January 2014
2014-01 Raleigh ISSA Chapter Updates January 20142014-01 Raleigh ISSA Chapter Updates January 2014
2014-01 Raleigh ISSA Chapter Updates January 2014Raleigh ISSA
 
2013-11 Raleigh ISSA Chapter Updates November 2013
2013-11 Raleigh ISSA Chapter Updates November 20132013-11 Raleigh ISSA Chapter Updates November 2013
2013-11 Raleigh ISSA Chapter Updates November 2013Raleigh ISSA
 
2013-10 Raleigh ISSA Chapter Updates October 2013
2013-10 Raleigh ISSA Chapter Updates October 20132013-10 Raleigh ISSA Chapter Updates October 2013
2013-10 Raleigh ISSA Chapter Updates October 2013Raleigh ISSA
 
2013-09 Raleigh ISSA Chapter Updates September 2013
2013-09 Raleigh ISSA Chapter Updates September 20132013-09 Raleigh ISSA Chapter Updates September 2013
2013-09 Raleigh ISSA Chapter Updates September 2013Raleigh ISSA
 
2013-08 Raleigh ISSA Chapter Updates August 2013
2013-08 Raleigh ISSA Chapter Updates August 20132013-08 Raleigh ISSA Chapter Updates August 2013
2013-08 Raleigh ISSA Chapter Updates August 2013Raleigh ISSA
 
2013-07 How to Win with Customers - Keith Pigues
2013-07 How to Win with Customers - Keith Pigues2013-07 How to Win with Customers - Keith Pigues
2013-07 How to Win with Customers - Keith PiguesRaleigh ISSA
 
2013-07 Raleigh ISSA Chapter Updates July 2013
2013-07 Raleigh ISSA Chapter Updates July 20132013-07 Raleigh ISSA Chapter Updates July 2013
2013-07 Raleigh ISSA Chapter Updates July 2013Raleigh ISSA
 
2013-06 Raleigh ISSA Chapter Updates June 2013
2013-06 Raleigh ISSA Chapter Updates June 20132013-06 Raleigh ISSA Chapter Updates June 2013
2013-06 Raleigh ISSA Chapter Updates June 2013Raleigh ISSA
 
2013-05 Raleigh ISSA Chapter Updates May 2013
2013-05 Raleigh ISSA Chapter Updates May 20132013-05 Raleigh ISSA Chapter Updates May 2013
2013-05 Raleigh ISSA Chapter Updates May 2013Raleigh ISSA
 

Mais de Raleigh ISSA (20)

Raleigh issa chapter updates-slides-2014-9
Raleigh issa chapter updates-slides-2014-9Raleigh issa chapter updates-slides-2014-9
Raleigh issa chapter updates-slides-2014-9
 
Raleigh issa chapter updates-slides-2014-8
Raleigh issa chapter updates-slides-2014-8Raleigh issa chapter updates-slides-2014-8
Raleigh issa chapter updates-slides-2014-8
 
Raleigh issa chapter updates-slides-2014-7
Raleigh issa chapter updates-slides-2014-7Raleigh issa chapter updates-slides-2014-7
Raleigh issa chapter updates-slides-2014-7
 
Raleigh issa chapter updates-slides-2014-6
Raleigh issa chapter updates-slides-2014-6Raleigh issa chapter updates-slides-2014-6
Raleigh issa chapter updates-slides-2014-6
 
Managing privileged account security
Managing privileged account securityManaging privileged account security
Managing privileged account security
 
A10 issa d do s 5-2014
A10 issa d do s 5-2014A10 issa d do s 5-2014
A10 issa d do s 5-2014
 
Raleigh issa chapter april meeting - managing a security & privacy governan...
Raleigh issa chapter   april meeting - managing a security & privacy governan...Raleigh issa chapter   april meeting - managing a security & privacy governan...
Raleigh issa chapter april meeting - managing a security & privacy governan...
 
April 2014 Raleigh ISSA chapter update slides
April 2014 Raleigh ISSA chapter update slidesApril 2014 Raleigh ISSA chapter update slides
April 2014 Raleigh ISSA chapter update slides
 
March 2014 B2B - Breaking into info sec
March 2014 B2B - Breaking into info secMarch 2014 B2B - Breaking into info sec
March 2014 B2B - Breaking into info sec
 
March 2014 Raleigh ISSA chapter update slides
March 2014 Raleigh ISSA chapter update slidesMarch 2014 Raleigh ISSA chapter update slides
March 2014 Raleigh ISSA chapter update slides
 
February 2014 Raleigh Chapter ISSA Board update slides
February 2014 Raleigh Chapter ISSA Board update slidesFebruary 2014 Raleigh Chapter ISSA Board update slides
February 2014 Raleigh Chapter ISSA Board update slides
 
2014-01 Raleigh ISSA Chapter Updates January 2014
2014-01 Raleigh ISSA Chapter Updates January 20142014-01 Raleigh ISSA Chapter Updates January 2014
2014-01 Raleigh ISSA Chapter Updates January 2014
 
2013-11 Raleigh ISSA Chapter Updates November 2013
2013-11 Raleigh ISSA Chapter Updates November 20132013-11 Raleigh ISSA Chapter Updates November 2013
2013-11 Raleigh ISSA Chapter Updates November 2013
 
2013-10 Raleigh ISSA Chapter Updates October 2013
2013-10 Raleigh ISSA Chapter Updates October 20132013-10 Raleigh ISSA Chapter Updates October 2013
2013-10 Raleigh ISSA Chapter Updates October 2013
 
2013-09 Raleigh ISSA Chapter Updates September 2013
2013-09 Raleigh ISSA Chapter Updates September 20132013-09 Raleigh ISSA Chapter Updates September 2013
2013-09 Raleigh ISSA Chapter Updates September 2013
 
2013-08 Raleigh ISSA Chapter Updates August 2013
2013-08 Raleigh ISSA Chapter Updates August 20132013-08 Raleigh ISSA Chapter Updates August 2013
2013-08 Raleigh ISSA Chapter Updates August 2013
 
2013-07 How to Win with Customers - Keith Pigues
2013-07 How to Win with Customers - Keith Pigues2013-07 How to Win with Customers - Keith Pigues
2013-07 How to Win with Customers - Keith Pigues
 
2013-07 Raleigh ISSA Chapter Updates July 2013
2013-07 Raleigh ISSA Chapter Updates July 20132013-07 Raleigh ISSA Chapter Updates July 2013
2013-07 Raleigh ISSA Chapter Updates July 2013
 
2013-06 Raleigh ISSA Chapter Updates June 2013
2013-06 Raleigh ISSA Chapter Updates June 20132013-06 Raleigh ISSA Chapter Updates June 2013
2013-06 Raleigh ISSA Chapter Updates June 2013
 
2013-05 Raleigh ISSA Chapter Updates May 2013
2013-05 Raleigh ISSA Chapter Updates May 20132013-05 Raleigh ISSA Chapter Updates May 2013
2013-05 Raleigh ISSA Chapter Updates May 2013
 

Último

Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesDavid Newbury
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URLRuncy Oommen
 
GenAI and AI GCC State of AI_Object Automation Inc
GenAI and AI GCC State of AI_Object Automation IncGenAI and AI GCC State of AI_Object Automation Inc
GenAI and AI GCC State of AI_Object Automation IncObject Automation
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfinfogdgmi
 
PicPay - GenAI Finance Assistant - ChatGPT for Customer Service
PicPay - GenAI Finance Assistant - ChatGPT for Customer ServicePicPay - GenAI Finance Assistant - ChatGPT for Customer Service
PicPay - GenAI Finance Assistant - ChatGPT for Customer ServiceRenan Moreira de Oliveira
 
RAG Patterns and Vector Search in Generative AI
RAG Patterns and Vector Search in Generative AIRAG Patterns and Vector Search in Generative AI
RAG Patterns and Vector Search in Generative AIUdaiappa Ramachandran
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintMahmoud Rabie
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdfPedro Manuel
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostMatt Ray
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Websitedgelyza
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.YounusS2
 
Spring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdfSpring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdfAnna Loughnan Colquhoun
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6DianaGray10
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxGDSC PJATK
 
Things you didn't know you can use in your Salesforce
Things you didn't know you can use in your SalesforceThings you didn't know you can use in your Salesforce
Things you didn't know you can use in your SalesforceMartin Humpolec
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemAsko Soukka
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 

Último (20)

Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond Ontologies
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URL
 
GenAI and AI GCC State of AI_Object Automation Inc
GenAI and AI GCC State of AI_Object Automation IncGenAI and AI GCC State of AI_Object Automation Inc
GenAI and AI GCC State of AI_Object Automation Inc
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdf
 
PicPay - GenAI Finance Assistant - ChatGPT for Customer Service
PicPay - GenAI Finance Assistant - ChatGPT for Customer ServicePicPay - GenAI Finance Assistant - ChatGPT for Customer Service
PicPay - GenAI Finance Assistant - ChatGPT for Customer Service
 
RAG Patterns and Vector Search in Generative AI
RAG Patterns and Vector Search in Generative AIRAG Patterns and Vector Search in Generative AI
RAG Patterns and Vector Search in Generative AI
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdf
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Website
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.
 
Spring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdfSpring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdf
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptx
 
Things you didn't know you can use in your Salesforce
Things you didn't know you can use in your SalesforceThings you didn't know you can use in your Salesforce
Things you didn't know you can use in your Salesforce
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystem
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 

Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort Liability for Cyber Security Breaches- Mark Ishman regulatory and tort liability for cybersecurity breaches d1

  • 1. GROWING TREND OF FINDING REGULATORY AND TORT LIABILITY FOR CYBERSECURITY BREACHES Mark W. Ishman, Esq. Masters in Law in Information Technology and Privacy Law www.IshmanLaw.com | www.IshmanLegal.com (919) 468-3266 | mishman@ishmanlaw.com
  • 2. WHILE THERE IS A WIDE RANGE OF EXPERIENCE AND EXPERTISE EXHIBITED BY COMPUTER SOFTWARE DESIGNERS AND PROGRAMMERS, THOSE WHO DEVELOP OPERATING SYSTEMS AND SECURITY SOFTWARE ARE GENERALLY AT THE HIGHER END OF THE PROFESSION IN TERMS OF EDUCATION, TRAINING, AND EXPERIENCE. Do I have your attention? IT IS CERTAINLY POSSIBLE TO HOLD PROGRAMMERS WHO WRITE CRITICAL SOFTWARE, SUCH AS OPERATING SYSTEMS AND SECURITY SOFTWARE, TO A HIGHER STANDARD THAN THOSE WHO WRITE LESS CRITICAL CODE SUCH AS WORD PROCESSORS AND VIDEOGAMES.
  • 3. Largest Known Data Breach – 160M Credit Cards – July 2013  Five men from Russia and Ukraine have allegedly stolen over 160 Million Credit Cards from 2005 to 2012, and sold them to others in the underground market which where then used throughout the world for ATM cash withdrawals and purchases  The defendants allegedly sought corporate victims engaged in financial transactions, retailers that received and transmitted financial data and other institutions with information they could exploit for profit.  The defendants are charged with hacking and malware attacks upon NASDAQ, 7Eleven, Carrefour, JCP, Hannaford, Heartland, Wet Seal, Commidea, Dexia, JetBlue, Dow Jones, Euronet, Visa Jordan, Global Payment, Diners Singapore and Ingenicard  It is not alleged that the NASDAQ hack affected its trading platform.  http://www.justice.gov/usao/nj/Press/files/Drinkman,%20Vladi mir%20et%20al.%20Indictment%20News%20Release.html
  • 4. HIPAA Breach Compromises over 4 Million People – August 2013  Theft of Four UNENCRYPTED LAPTOPS compromises over 4 Million patients‘ medical files that contain their personal identifiable information (Name, SSN, Address, Phone Numbers and Email Addresses), Medicare data, medical diagnoses, insurance and payment information.  2nd Largest HIPAA data breach to date (largest to date is just under 5 Million patient records compromised)  Just last month, Theft of Two UNENCRYPTED LAPTOPS compromises over 729,000 patients‘ medical files – October 2013  11th Largest HIPAA data breach to date  To date, HIPAA Feds have collected over $16 Million from 16 organizations who have been found guilty of violating HIPAA  Data from the Department of Health and Human Services.
  • 5. Publicly Traded Companies’ Data Breaches  Sony paid $171 Million in cleanup from its April 2011 PlayStation Network breach;  Heartland Payment systems paid an estimated $140 million in its lost  Email services firm Epsilon paid an estimated $225 Million in total costs as a result of its data breach  PUBLICLY TRADED COMPANIES RETAIN OUTSIDE IT PROFESSIONAL CONSULTANTS FOR THEIR RECOMMENDATIONS AND FOR THEIR SPECIALIZED SEUCIRTY SERVICES BOTH FOR THE RETAINED SKILL SET AS WELL AS FOR LIABILITY REASONS
  • 6. Federal Trade Commission Complaints  FTC has implemented initiatives to police computer data breaches  FTC Complaints are REactive and NOT PROactive – FTC complaints are all after the fact, rather than implementing rules and providing guidance  Most companies settle with the FTC and pay a fine  If you defend against a FTC complaint, expect LARGE litigation expenses, for example:  Large corporation Wyndham has just responded to a FTC complaint and has spent $5 Million already on discovery  Small corporation LabMD (25-peson company) has just responded to the FTC complaint and has spent $500,000 on discovery
  • 7. How is there liability to IT security professionals for insecure software?
  • 8. Top Ten List of Security Certifications??? 10. Vendor Certifications - CISCO and Microsoft specific certifications top the list. 9. CCE-Certified Computer Examiner 8. CPP—Certified Protection Professional 7. CBCP-Certified Business Continuity Professional 6. CEH-Certified Ethical Hacker 5. CSFA-CyberSecurity Forensic Analyst 4. CISA-Certified Information Systems Auditor 3. GIAC-The Global Information Assurance Certification 2. CISM-Certified Information Security Manager 1. CISSP—Certified Information System Security Professional
  • 9. What information security standards exist? Let’s look at the law… • Global • State Laws -- Data security and breach notification laws • IS0 17799, 27001 • Industry • Basel II, EU Safe Harbors • Payment Card Industry – VISA, CISP, Mastercard SDP • Country Standards • Healthcare – HIPAA • National – NIST & OECD • Finance – Gramm Leach Bliley, SEC, NASD, FFIEC, OTS • Finance – CoBIT & BITS • Energy and Utility – NERC 1300, FERC, (NEI 04-04) • Federal Government • E-Commerce – FTC Ecommerce Req‘s • DOD - Rainbow Series, NIST • NSA • Presidential Directives
  • 10. What is the legal and business impact of breached information security?  Contractual Violations  Violation of state, federal and international laws  Business interruption – income loss, extra expense  Data asset loss, corruption, value reduction  Lost ROI on technology and marketing investments  Reputation losses & loss of valuation  Extortion and other crisis Management costs
  • 11. What Laws Govern Insecure Software?  HIPAA, Sarbanes-Oxley Act, Gramm-Leach-Bliley Act and Other Acts and their Potential Impact on Liability to Software Developers  Article 2 of the U.C.C.  Computer hardware and packaged software, as movable objects, are clearly goods and thus subject to the provisions of Article 2 – and for our conversation, Article 2 protection from Tort-related causes of action  Transactions involving primarily personal services, such as those for customization, expertise, maintenance, training, and support, are often held not to be goods, and thus NOT to fall within the U.C.C.  What about specialized ―secure‖ computer software? Does that fall under Article 2 or customized services?  Negligence  Product Liability  Professional Malpractice Liability  Federal Trade Commission Complaint for unfair and deceptive acts or practices for deceptive claims that companies were safeguarding customer data appropriately
  • 12. Health Insurance Portability and Accountability Act (HIPAA)  HIPAA makes security a necessary prerequisite to providing services to the health industry, including the provision of any financial services.  Breach Notification Rules     Notify affected individuals Notify Business Associates Notify HHS (Federal Agency) Audits and Fines  Penalty Amount: $100 to $50,000 or more per violation, repeat violations are $1,500,000, with a Calendar Year Cap of $1,500,000
  • 13. Sarbanes-Oxley Act (SOX)  SOX requires that the CEO sign filings with the SEC that certify that the company‘s computer systems are secure and that the company maintains, in all material respects, effective internal controls over its financial reporting.  If he‘s wrong, he faces potential prosecution for violations of SOX, with  personal fines up to one to five million dollars and/or  imprisonment for up to ten to twenty years  If the company asks its software vendors, whose products the company relies upon to provide that security and effective control, to certify that their systems meet the SOX‘s requirements, the vendors  politely decline, mumbling something about how all software has bugs and the company is not willing to assume the risk that the customer‘s system may be compromised by hackers, cyberterrorists, or perhaps just a disgruntled ex-employee.  Thus far the SEC has not taken action against any corporate executives who have signed such an undertaking that later turned out to be untrue.  We have not yet had a major accounting scandal arising from software vulnerabilities
  • 14. Gramm-Leach-Bliley Act (GLB)  GLB is a comprehensive privacy and security law that financial companies must adhere to.  GLB covers both information handling practices and security practices for ―nonpublic personal information‖ (NPI).  GLB‘s security requirements:  You shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to your size and complexity, the nature and scope of your activities, and the sensitivity of any customer information at issue (emphasis added).  Also requires: 1. Exercise appropriate due diligence in selecting your service providers; 2. Require your service providers by contract to implement appropriate measures designed to meet the objectives of these Guidelines; and 3. Where indicated by your risk assessment, monitor your service providers to confirm that they have satisfied their obligations as required by paragraph D.2. As part of this monitoring, you
  • 15. Article 2 of the UCC  Most bundled software (off-the-self or custom) fall within Article 2 of the UCC  a Good Thing for IT Professionals because you can use the UCC to limit your liability, e.g., disclaimer of express and implied warranties, limitation of liabilities and remedies  Standalone (unbundled), customized and expertise (security) software are determined on a case-by-case basis  Plaintiff attorneys will allege that the software vendor is the best position to take action to prevent security breaches with standalone customized software.  Plaintiff attorneys will allege that software vendors were negligent in the production or design of the computer security systems, e.g., coding of the security and encryption software
  • 16. Negligence Claim – 5 Elements (1) Software vendor owed a DUTY to the Plaintiff  What type of Duties?  Duty to design and develop secure software  Duty to instruct the licensee on how to use its products safely  Duty to warn its licensees of the hidden dangers that the designed software may contain  Duties exist in the law is largely a policy-based determination  Foreseeability of harm of security breach  Degree of certainty between the vulnerabilities and harm  Closeness of the connection between lax Internet security practices and the injury suffered  Policy of preventing future intrusions  Burden of the IT industry  Consequences to the public of imposing a duty to maintain adequate security  Availability, costs and prevalence of security solutions  Insurance
  • 17. Negligence Claim – 5 Elements (2) Duty Standard of Care Imposed on Software Vendor by that  Generally this means what the reasonably prudent person would do under the circumstance  In the IT industry, this standard of care is evolving rapidly, and methodologies, procedures, and practices have been accepted by the industry as risks are exposed  The appropriate level of care to be followed in custom software will vary depending on the nature and intensity of the perceived risk resulting from an error  Thus, software developer‘s duty under negligence law is not perfection, but only reasonableness, i.e., standard of care of a reasonable developer of security-related software under like circumstances – employing industry‘s best practices security standards
  • 18. Negligence Claim – 5 Elements (3) Breach of Duty  With secure software, there is no accepted tests that exist currently for determining when a software developer has breached its duty
  • 19. Negligence Claim – 5 Elements  (4) Causation  Two-prong test:  Software developer‘s negligence must have been the causein-fact of the plaintiff‘s injuries (but for or substantial factor);  Software developer‘s conduct must have been the proximate (legal) cause of the injury, i.e., a foreseeable result of the negligent act
  • 20. Negligence Claim – 5 Elements (5) Damages  Plaintiffs are entitled to recover ALL damages, e.g., personal injuries, property damages, economic loses  Some courts do not allow recovery of economic losses, e.g., defamation  Some courts do not allow damages for data entered into the computer system by a customer because that data is not part of the software  Until recently, for security breach cases, the plaintiffs have been unable to establish the ―damages‖ requirement for negligence.  In essence, courts have ruled that a consumer taking pre-emptive actions to protect his or her credit has not suffered compensatory damages.  Even if a consumer can show that they suffered identity theft they still have to establish that the security breach was the cause of such identity theft (in theory the consumer‘s personal information could have been obtained from a multitude of sources).  Companies face the prospect of expensive attorney fees to defend these actions, and if the plaintiffs‘ bar breaks through they could face significant liability.
  • 21. Negligence Applied to Security Breach Liability  Traditionally, security breaches are criminal acts of third parties, and a software vendor cannot be liable for third party criminal conduct unless it is determined that such criminal conduct was highly foreseeable.  With hundreds of thousands of new cybersecurity threats created every day, isn‘t third party criminal acts of hacking highly foreseeable?  Duty, Standard of Reasonable Care, Breach of Duty, Causation (foreseeability) and damages  California real estate escrow company has filed a NEGLIGENCE lawsuit against its former bank for the loss of $465,000 in an online banking hack last year http://krebsonsecurity.com/2011/07/
  • 22. Negligence Cases Invacare Corp. v. Sperry Corp., (N.D. Ohio 1984)  Federal district court refused to dismiss a negligence claim alleging that a computer seller was negligent for recommending its program and services to the buyer when ―it knew, or in the exercise of ordinary care, it should have known, that . . . the programs and related data processing products were inadequate,‖ and because it advertised to the buyer when it knew or should have known that ―the programs furnished could not satisfy [the buyer‘s] requirements.‖  The court held that personnel in the computer industry, like personnel in other trades (doctors, accountants, lawyers), should be held to the ordinary standard of care for their trade.
  • 23. Negligence Case Claridge v. Rockyou, Inc. (N.D. Cal. 2011)  Rockyou is a publisher and developer of online services and applications for use with social networking sites such as Facebook and MySpace  Rockyou applications allow its users to share photographs and write special text on a friend‘s page, or play game with other users.  Customers are required to sign up to use Rockyou applications by submitting personal identifiable information to it that Rockyou stores in a database  Plaintiff alleges that Rockyou promised through its website to safeguard its personal identifiable information through commercially reasonable measures …. that did not include any form of encryption  Plaintiff‘s personal identifiable information was hacked and available online  Federal district court held that plaintiff‘s negligence claim could proceed against Rockyou despite not alleging specific damages other than unauthorized and public disclosure of its personal identifiable information
  • 24. Negligence Case Patco Constr. Co. Inc. v. People‘s United Bank (1st Cir. July 2012)  Hackers installed malware on Patco‘s computers and stole its banking user name and password; and used Patco‘s banking credentials to transfer money offshore from Patco‘s account (common hacking facts)  Since the hackers were attempting a large offshore transfer that was so far out of the normal conduct by Patco, it caused an alert to flag this transaction  The bank manager decided that since the password/user name combination and accompanying answers to certain challenge questions were sufficient to verify the transaction, the bank manager ignored the alter and all the money went offshore  The Federal Appellate Court held that the Bank‘s reliance on password authentication and its decision to ignore certain transaction-based flags that highlighted the unusually large offshore transfer was not necessarily a good commercial practice.  Court found that the Bank‘s reliance on answers to challenge questions that the hackers provided was not a good security practice.  Court found that the Bank‘s contract with Patco incorporated UCC requirement that the bank act in a commercially reasonable way, and found that the Bank‘s protections that it implemented were unreasonable  Afterwards, this case settled for $345,000 (the amount transferred) and $45,000 in interest.
  • 25. Negligence Case Lone Star Bank, et. al v. Heartland Payment Systems (5th Cir. September 2013)  Heartland had a contract with acquiring banks (plaintiffs) to provide credit card processing services.  Heartland was hacked in 2009 and lost the data from more than 160 million credit card accounts.  Because of the interlocking web of financial relationships with credit card transactions, Heartland was not the only bank affected by the hacking incident  Damages included losses from fraudulent use of the stolen data, cost of replacing credit cards and costs of providing their customers with credit monitoring services  Federal Appellate Court held that the issuing banks had a valid negligence claim against Heartland for its cybersecurity failures and that, if proven, they could recover their consequential damages from Heartland
  • 26. Today‘s recent headlines  Negligence for theft of data from UNENCRYPTED LAPTOPS  Hackers breaks in at a US based company that brokers reservations for limousine and Town Car services nationwide that resulted in personal and financial information of more that 850,000 well to do customers, such as Fortune 500 CEOs, lawmakers and celebrities http://krebsonsecurity.com/2013/11/hackers-take-limoservice-firm-for-a-ride/  Negligence for theft of data from storing data on servers where it is known that hackers use to stash their stolen data
  • 27. Professional Malpractice Law  Professional liability has generally been applied to those who by virtue of specific training and licensing are deemed to have a level of skills higher than that of non-professionals.  To date, courts have been reluctant to hold computer designers or programmers to the higher standard of professionals due to the lack of established educational standards or regulations governing the performance of software programmers and developers, and because they are not licensed as professionals … that is changing  Many software developers have received extensive training in the use of certain programming and testing techniques, passed rigorous tests to become ―certified,‖ reached levels of expertise not held by general programmers.  While this is not identical to the licensing requirements of state licensing boards such as state bar associations or medical boards, it may be sufficient to justify holding these certified developers to a higher, professional standard, particularly where their certifications relate to secure software development.
  • 28. Top Ten List of Security Certifications??? 10. Vendor Certifications - CISCO and Microsoft specific certifications top the list. 9. CCE-Certified Computer Examiner 8. CPP—Certified Protection Professional 7. CBCP-Certified Business Continuity Professional 6. CEH-Certified Ethical Hacker 5. CSFA-CyberSecurity Forensic Analyst 4. CISA-Certified Information Systems Auditor 3. GIAC-The Global Information Assurance Certification 2. CISM-Certified Information Security Manager 1. CISSP—Certified Information System Security Professional
  • 29. Professional Malpractice Case Diversified Graphics, Ltd. v. Groves (8th Cir. 1989)  Plaintiff hired a large accounting firm to help it locate a turnkey computer system.  When the chosen system proved inadequate for the company‘s needs, the company sued.  The court ruled that the accounting firm should be held to the American Institute of Certified Public Accountants‘ Management Advisory Service Practice Standards, which the firm had incorporated into its guidelines for internal use.  While the court refused to acknowledge a cause of action for computer malpractice, by holding the accounting firm to the AICPA standards, it achieved essentially the same result.
  • 30. Professional Malpractice Case Data Processing Services, Inc. v. L.H. Smith Oil Corp. (Ind. Ct. App. 1986)  Plaintiff claimed that the defendant was negligent in designing an accounting and data processing software system.  The state appellate court stated in dictum that ―[t]hose who hold themselves out to the world as possessing skill and qualifications in their respective trades or professions impliedly represent they possess the skill and will exhibit the diligence ordinarily possessed by well informed members of the trade or profession.‖  The court concluded that ―[t]he situation here is more analogous to a client seeking a lawyer‘s advice or a patient seeking medical treatment for a particular ailment than it is to a customer buying seed corn, soap, or cam shafts.
  • 31. Product Liability for Insecure Software  Product liability law is imposed on the theory that the costs of damaging events due to defectively dangerous products can best be borne by the enterprisers who make and sell these products.  With insecure software, an examination of whether the software insecurity is due to a design defect or a manufacturing defect  Software development generally goes through a number of phases before reaching the user, such as (i) the design phase, (ii) the coding phase, (iii) the testing phase, and (iv) the replication and distribution phase  defect introduced into the product during the design phase would be deemed a design defect.  defect introduced into the product at the replication and distribution phase would be deemed a manufacturing defect.  Coding phase??? Grey Area  Vendors would generally argue that everything before the replication and distribution phase is part of the product design process, hence, a negligence standard should apply to insecure software, except in the rare case where the defect occurred in the replication process.  Licensees would argue that the design defect standard should apply only to defects introduced in the design phase, and that everything thereafter should be deemed part of the manufacturing phase—and subject to a strict liability standard.  No cases on point, but that is not say that they are not on their way …
  • 32. Federal Trade Commission Complaints  FTC has implemented initiatives to police computer data breaches  FTC Complaints are REactive and NOT PROactive – FTC complaints are all after the fact, rather than implementing rules and providing guidance  Most companies settle with the FTC and pay a fine  If you defend against a FTC complaint, expect LARGE litigation expenses, for example:  Large corporation Wyndham has just responded to a FTC complaint and has spent $5 Million already on discovery  Small corporation LabMD (25-peson company) has just responded to the FTC complaint and has spent $500,000 on discovery
  • 33. Federal Trade Commission TRENDNET, Inc. Case (September 2013)  TRENDNET alleged failed to provide reasonable security ―to prevent unauthorized access to sensitive information‖  FTC Consent Order required TRENDNET to engage in  "secure software, development, and testing" risk assessments as well as "reasonable and appropriate software security testing techniques‖  Conduct an initial, and thereafter biennial, assessments and reports – for Twenty years – performed by a third-party CSSLP or CISSP or ―a similarly qualified person or organization; or a similarly qualified person or organization approved by the Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission….‖
  • 34. Federal Trade Commission In re HTC America, Inc. Case (February 2013)  FTC complaint alleged that HTC:  failed to ―employ reasonable and appropriate security in the design and customization of the software on its mobile devices.‖  failed to (1) implement an ―adequate program to assess the security of products it shipped to consumers,‖ (2) provide ―adequate privacy and security guidance or training for its engineering staff,‖ (3) ―conduct . . . reviews, or tests to identify potential security vulnerabilities in its mobile devices,‖ and (4) ―implement a process for receiving and addressing security vulnerability reports from third-party researchers.‖
  • 35. Federal Trade Commission  The FTC has begun taking action against software users whose systems were breached by hackers and third party confidential information was disclosed.  These recent FTC decisions suggest a new willingness by the FTC to hold software makers liable for  failing to design security into their products from the start and  to test and discover security vulnerabilities before releasing the product into the market for advanced beta testing by paying customers who not only thereby pay for the "privilege" of testing the vendor‘s product (saving the vendor enormous R&D costs) but who previously had little or no remedy beyond a replacement of the product (if that).  Most victims still do not receive real recourses from FTC actions because the FTC doesn't even investigate much less act in all in most cases and limits on private recourse and practical barriers to enforcement obstruct private remedies.  Plaintiffs attorneys will take over and advance negligence, strict product liability and professional malpractice causes of action against software developers
  • 36. Counterhacking Legal???  Computer Fraud and Abuse Act  ‗exceeds authorized access‘ means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.‖  Put another way, you exceed authorized access if you obtain or alter information you‘re not entitled to obtain or alter.  Who controls the computer? The data owner or the computer owner?  Are you entitled to take back your stolen data from a computer, but not sell the computer at a pawn shop?  So can Disney hack into everyone‘s computers in pursuit of pirated videos?  Can future amendments recognize counterhacking right to gather evidence but not to harm innocent third parties? Will there be distinquishment between 99-cent music files and competitive business data?
  • 37. What Can You Do To Minimize Your Risks to Liability?  Always enter into written agreements that specifically addresses express and implied warranties and limitation of liabilities  Always have your written agreements state what law controls the agreement. Be sure to make it a state that does not have any cases where it has found software to be a service and the UCC not applicable, or cases finding tort liability for insure software  Always use Beta Agreements or Beta Language when launching new or customized software, as software is always launched with glitches requiring patches/maintenance issues  Always have your written agreements state who is responsible for maintenance services and whether such service requires additional fees
  • 38. What Can You Do To Minimize Your Risks to Liability?  Continuing Education is always Ongoing  Audits – work with a security team to identify security issues and determine what else can done (e.g., encryption, passwords, additional firewalls, etc.)  ―shall act with the care of an ordinary prudent person or agency in like position would exercise under similar circumstances‖  Policies & Procedures: Create an security incident response and notification Plan  Response team, contact police/local FBI, and document response  Consider great malpractice and cyber-insurance coverage (typically covers notification costs) and utilizing it when in question
  • 39. Procedure: What Constitutes a Breach?  Was unencrypted and unredacted personal information and/or protected health information accessed?  Personal Information means the first name or first initial and last name linked to one or more of the following data elements of a resident of this state:  SSN  Driver License Number  Account number, credit card/debit card number, in combination with security code/access code/password
  • 40. Procedure: Is Notice Required?  Material Breach?  Would access be likely to cause substantial loss, or injury, or result in identity theft?  How many to notify?  Cost?  Duty to notify as expeditiously as practical without undue delay
  • 41. Policy: What Must the Notice Include?  Describe the security breach (date/time)  Describe the type of personal information that is the subject of unauthorized access/use  Describe what you have done to protect data from further security beaches  Include a telephone number where a notice recipient may obtain assistance or additional information  Remind recipients in the Notice of the need to remain vigilant for incidents of fraud and identity theft  MAY have to notify consumer reporting agencies  By mail, telephone, electronic means?
  • 42. So What? Why do this?  State AG fines for failure to provide notice ($250/person), up to $750,000  FTC fines - $1,500,000  Civil Remedy under state/federal law      State trade practices statutes Breach of contract (terms/privacy policy) Breach of implied covenant of good faith and fair dealing Breach of implied contract Negligence/negligence per se  Ruined Reputation
  • 43. Policy and Procedure Practical Tips  If you have experienced a data security breach, it may have to comply with more than one state‘s laws if it has customers that reside there  Where health information is stored, requirements for notification are far greater  Know that class actions are out there, and increasing  http://www.informa0onweek.com/security/client/ linkedin‐security-breach‐triggers‐mill/240002407
  • 44. RESOURCES www.IshmanLaw.com (919) 468-3266 mishman@ishmanlaw.com  State Laws (except in AL, KY, NM, SD)  http://www.ncsl.org/issues-research/telecom/security‐notification‐laws.aspx  Many states of identity theft statutes that may be applicable when there is a security breach issue  Federal law proposals on data breach notification requirements, but nothing enacted YET  International   Federal Trade Commission   – http://www.ftc.gov/bcp/edu/microsites/idtheft/business/data-breach.html Biggest Data Breaches in 2013   Canada‘s Personal Information Protection and Electronic Documents Act (PIPEDA) http://www.crn.com/slide-shows/security/240159149/the-10-biggest-data-breaches-of2013-so-far.htm 10 Biggest HIPAA Data Breaches in the U.S.  http://www.healthcareitnews.com/slideshow/slideshow-top-10-biggest-hipaa-breachesunited-states