Get the FUD out of Cybersecurity! ISACA CSXNA 2016 in Las Vegas

Shawn E. Tuma, Cybersecurity Attorney
Partner, Scheef & Stone, LLP
Get the FUD out of
Cybersecurity!

Copyright © 2016 Information Systems Audit and Control Association, Inc. All rights reserved.
Join the conversation!
@shawnetuma
#CSXNA

• The Y2K Legal Expert
• Path: Y2K > computer fraud >
data breach
• 2011
• “Year of Data Breach”
• “Who’s Gonna Get It?”
Do you remember Y2K?

2014: The real Year of the Data Breach
Cybersecurity:
a legal issue?

Consider these 2 statements:
• “There are only two types of
companies: those that have been
hacked, and those that will be.”
• “It’s not a matter of if, but when your
company is hacked.”
Selling FUD is so 2014!

• FUD = fear × uncertainty × doubt
• Why?
• It gets media attention
• It is cool, exotic, sexy
• It justifies the most sophisticated (i.e.,
expensive) tools
Why so much FUD?

• Cybersecurity & data breaches are an
epidemic
• Impacted by data breach?
The threat is real

Awareness is real, also
What concerns keep Chief
Legal Officers awake at
night?
#2 = Data Breaches
82% consider as somewhat,
very, or extremely important

• “These three thieves, fear,
uncertainty, and doubt, will rob you
of your future.” –E.R. Haas
• Complacency was the problem
• Hopelessness is now the problem
• Eat a live frog –Mark Twain
The “too much FUD” problem

Easily preventable
• 90% in 2014
• 91% in 2015
The Turning Point
• 63% confirmed breaches from weak, default, or
stolen passwords
• Data is lost over 100x more than stolen
• Phishing used most to install malware

Where Would You Start?
Easily Preventable Sophisticated Attacks
Threats

“We must free ourselves
of the hope that the sea
will ever rest. We must
learn to sail in high
winds.”
-Aristotle Onassis
Leadership

• Leaders find solutions.
• Leaders bring calm and rational
decision making to crisis situations.
• Yes, this is new, unchartered territory.
• But, we are pioneers made to thrive in
the unknown – it’s what we do.
• Focus on what we know.
Leadership

• “All warfare is based on deception.”
• “Water shapes its course according
to the nature of the ground over
which it flows; the soldier works out
his victory in relation to the foe whom
he is facing.”
• “In all fighting the direct method may
be used for joining battle, but indirect
methods will be needed to secure
victory.”
• “Attack him where he is unprepared;
appear where you are not expected.”
Sun Tzu on Hacking

• “The general who wins the battle
makes many calculations in his temple
before the battle is fought. The general
who loses makes but few calculations
beforehand.”
• “Strategy without tactics is the slowest
route to victory. Tactics without strategy
is the noise before defeat.”
• “The quality of decision is like the well-
timed swoop of a falcon which enables
it to strike and destroy its victim.”
Sun Tzu on Security

Preparation
“You don’t drown
by falling in the
water; You drown
by staying there.”

“Some people try to find
things in this game that
don’t exist but football is
only two things – blocking
and tackling.”
-Vince Lombardi
Start with the Basics

• Attacks will be different than past.
• Attacks will usually be indirect, not
direct.
• Attackers will use deception.
• Attackers will focus on the area least
protected – the human element.
• Preparation allows adaptation.
What We Know

• Culture of security
• Policies and procedures
• Systems and controls
• Education and training
• Goal: teach people to think,
recognize, and resist
Prepare Workforce

“Security and IT protect companies’ data;
Legal protects companies from their data.”

Takeaway: Standard is reasonableness.
• In re Target Data Security Breach Litigation (Financial
Institutions) (Dec. 2, 2014)
• Companies have a duty to be reasonably informed and take
reasonable measures to protect against cybersecurity risks.
• It’s the diligence, not the breach, that counts.
• The court found duties to
• Reasonably protect others’ data
• Not disable security devices (i.e., if have it, use it)
• Respond when alerted of an attack
Legal Foundations

Takeaway: Must have basic IT security.
• F.T.C. v. Wyndham Worldwide Corp., 799 F.3d 236 (3rd Cir. Aug.
24, 2015).
• The FTC has authority to regulate cybersecurity under the
unfairness prong of § 45(a) of the FTC Act.
• Companies have fair notice that their specific cybersecurity
practices could fall short of that provision.
• 3 breaches / 619,000 records / $10.6 million in fraud
• Rudimentary practices v. 2007 guidebook
• Website Privacy Policy misrepresentations
Legal Foundations

Takeaway: Must have internal network controls.
• F.T.C. v. LabMD (July 2016 FTC Commission Order)
• LabMD had 1 employee using LimeWire, Tiversa obtained file
with PHI information and provided to the FTC.
• “LabMD’s data security practices constitute an unfair act or
practice within the meaning of Section 5 of the FTC Act. We
enter an order requiring that LabMD notify affected consumers,
establish a comprehensive information security program
reasonably designed to protect the security and confidentiality of
the personal consumer information in its possession, and obtain
independent assessments regarding its implementation of the
program.”
Legal Foundations

Takeaway: Must have written policies & procedures.
• S.E.C. v. R.T. Jones Capital Equities Management, Consent
Order (Sept. 22, 2015).
• “R.T. Jones failed to adopt written policies and procedures
reasonably designed to safeguard customer information.”
• R.T. Jones violated the Securities Act’s “Safeguards Rule”
• 100,000 records vulnerable; no reports of actual harm
• $75,000 penalty
• Cease and desist having any future violations
Legal Foundations

Takeaway: Must have written incident
response plan.
• S.E.C. v. R.T. Jones Capital Equities Management,
Consent Order (Sept. 22, 2015).
• Firms “need to anticipate potential cybersecurity events
and have clear procedures in place rather than waiting to
react once a breach occurs.”
Legal Foundations

Response Plan Points
• Goal is to execute
• This is check list, not
an IRP
• How detailed?
• Tabletop exercises
Legal Foundations

How quick to respond?
• 45 days (most states)
• 30 days (some states)
• 3 days (fed contracts)
• 2 days (business expectation)
• Immediately (contracts)
Legal Foundations

Takeaway: Must evaluate third-parties’ security.
• In re GMR Transcription Svcs., Inc., Consent Order (Aug. 14,
2014).
• FTC’s Order requires business to follow 3 steps when working
with third-party service providers:
• Investigate before hiring data service providers
• Obligate data service providers to adhere to the appropriate
level of data security protections
• Verify that the data service providers are complying with
obligations (contracts)
Legal Foundations

Takeaway: Know your contractual obligations.
• Addendum to business contracts
• Common names: Data Security & Privacy Agreement; Data
Privacy; Cybersecurity; Privacy; Information Security
• Common features:
• Defines subject “Data” being protected in categories
• Describes acceptable and prohibited uses for Data
• Describes standards for protecting Data
• Describes obligations and responsibility for breach of Data
• Requires binding third-parties to similar provisions
Legal Foundations

The Game Changer?
New York Department of Financial Services
Cybersecurity Requirements for Financial Services
Companies + [fill in]
• All NY “financial institutions”
• Establish Cybersecurity Program (w/ specifics)
• Adopt Cybersecurity Policies
• Designate qualified CISO to be responsible
• Written Incident Response Plan
• Third-Party Providers – examine, obligate, audit
• Board or Senior Officer Certify Compliance

Cybersecurity Risk Management

Instead of FUD
“You don’t drown
by falling in the
water; You drown
by staying there.”
Teach people how
to swim – better
yet, how to surf!

• Board of Directors & GeneralCounsel, Cyber Future Foundation
• Board of Directors, NorthTexasCyber Forensics Lab
• Cybersecurity & Data Privacy LawTrailblazers, National Law Journal (2016)
• SuperLawyersTop 100 Lawyers in Dallas (2016)
• SuperLawyers 2015-16 (IP Litigation)
• Best Lawyers in Dallas 2014-16, D Magazine (Digital Information Law)
• Council, Computer &Technology Section, State Bar ofTexas
• Privacy and Data Security Committee of the State Bar ofTexas
• College of the State Bar ofTexas
• Board of Directors,Collin County Bench Bar Foundation
• Past Chair, Civil Litigation & Appellate Section,Collin County Bar Association
• Information SecurityCommittee of the Section on Science &Technology Committee of the
American Bar Association
• NorthTexasCrime Commission, CybercrimeCommittee
• Infragard (FBI)
• InternationalAssociation of Privacy Professionals (IAPP)
• Board of AdvisorsOffice of CISO, Optiv Security
• Editor, Business Cybersecurity Business Law Blog
Shawn Tuma
Cybersecurity Partner
Scheef & Stone, L.L.P.
214.472.2135
shawn.tuma@solidcounsel.com
@shawnetuma
blog: www.shawnetuma.com
web: www.solidcounsel.com

Get the FUD out of Cybersecurity! ISACA CSXNA 2016 in Las Vegas

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Destaque

Destaque (12)

Semelhante a Get the FUD out of Cybersecurity! ISACA CSXNA 2016 in Las Vegas

Semelhante a Get the FUD out of Cybersecurity! ISACA CSXNA 2016 in Las Vegas (20)

Mais de Shawn Tuma

Mais de Shawn Tuma (20)

Último

Último (20)

Get the FUD out of Cybersecurity! ISACA CSXNA 2016 in Las Vegas