Heather Enlow & Chris Ingram - Cybersecurity Act of 2015 and Other Hot Privacy and Cybersecurity Topics

© Copyright 2016, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers.®
2016 Central Ohio InfoSec Summit
Cybersecurity Act of 2015 & Other Hot Privacy and
Cybersecurity Topics
Heather Enlow-Novitsky
henovitsky@vorys.com
614-464-6226
Chris Ingram
clingram@vorys.com
614-464-5480
March 30, 2016
1

Topics
1) Cybersecurity Act of 2015 – CISA
2) Proposed EU-US Privacy Shield
3) Encryption Wars & Mobile Devices
4) FTC’s Regulation of Unfair Cybersecurity Practices
2

3

Cybersecurity Act of 2015
› Mechanism for sharing cybersecurity information
among private sector and federal entities
› Authorizes entities to monitor certain information
systems and operate defensive measures
› Provides safe harbors for liability
› DHS lead agency to manage sharing
4

CISA – Definitions
› “Cyberthreat indicator”
• Information necessary to describe
or identify -
› Malicious reconnaissance
› Methods for defeating
security or exploiting
vulnerability
› Methods causing a user with
legitimate access to
unwittingly enable security
vulnerability
› Malicious cyber command
and control
› The actual or potential harm
caused
› “Defensive measures”
› Essentially a measure that detects,
prevents, or mitigates a known or
suspected cybersecurity threat or security
vulnerability
› Excludes “a measure that destroys,
renders unusable, provides unauthorized
access to, or substantially harms an
information system or information stored
on, processed by, or transiting such
information system not owned by:
• The private entity operating the measure; or
• Another entity or federal entity that is
authorized to provide consent and has provided
consent to that private entity for operation of
such measure.”
5

CISA- Federal Sharing
› Federal agencies to issue procedures within 60 days to allow timely
sharing of cyberthreat indicators and defensive measures:
• Ensure real time sharing among federal agencies
• Incorporate existing processes, roles, and responsibilities (ISACs)
• Include rules and procedures for notifying entities that receive erroneous
information or where information is shared in violation of CISA
• Protect against unauthorized access to shared cyberthreat information
• Require removal of personal or personally identifiable information of
individuals not directly related to cybersecurity threat
6

CISA - Nonfederal Sharing
› Authorizes nonfederal entities to share cyberthreat
indicators and defensive measures
› Classified information must be protected
› Must scrub PII not directly related to a cyberthreat prior
to sharing
› DHS was given 90 days to develop a process to accept
real time info. from nonfederal entities and to
automatically share with other federal agencies
7

CISA - Use of Information
› Information received under CISA may be disclosed, retained
or used only for:
• Cybersecurity purpose
• Identifying cybersecurity threats or security vulnerabilities
• Responding to, preventing, or mitigating a specific threat of death,
physical or economic harm
• Responding to, investigating, prosecuting, preventing or mitigating a
serious threat to a minor or offense related to above; or
• Offenses relating to fraud, identity theft, espionage, censorship, or the
protection of trade secrets
8

CISA – Safe Harbors for Private Entities
› No civil liability for sharing or receiving cyberthreat
indicators or defensive measures
› Shared information may not be used to regulate,
including in an enforcement action
• Can be used to inform the development of regulations of
information systems relating to the prevention or
mitigation of cybersecurity threats
9

CISA – Safe Harbors for Private Entities
› No antitrust liability for private entities exchanging
cyberthreat indicators or defensive measures
› No waiver of privileges or protection (including
trade secret)
› No duty to share, warn or act, and no liability for not
sharing.
• Federal entities may not require sharing as a condition of
awarding any federal grant or contract
10

CISA – Other Provisions
› Authorizes private entities to monitor and apply defensive
measures to their own information systems and others that
have provided written consent, including information
processed by or transmitted through those systems
• Does not authorize measures that destroy, render unusable, provide
unauthorized access to, or substantially harm an information system or
information not owned by the private entity or consenting entity
› Reporting requirements to Congress
› Broad preemption
› 10 year sunset provision
11

CISA – Concerns Remain
› What standard of care will private entities be held to when
scrubbing data?
› Is the immunity given to private entities too broad or is it
insufficient?
› Should the types of information shared be limited?
› Should this be exempt from FOIA?
› Will this enable additional surveillance and/or
investigations unrelated to cybersecurity?
12

H.R. 4350 – CISA’s Demise?
13

Sharing Data From Across the Pond
14

EU – Data Protection Directive
› Enacted in 1995 to protect personal data
• Restricts transfer of Europeans’ personal data to countries
outside of the European Economic Area
• New regulation anticipated this year
› The US Safe Harbor:
• Companies regulated by FTC or Dept. of Transportation
could opt in
• Self-certification process
• Public commitments enforced by FTC
15

EU – Data Protection Directive
› US Safe Harbor invalidated in
October 2015
› Austrian citizen complained
about his personal data on
facebook
› Argued that data is not protected
from surveillance by the
government
• Relied on Edward Snowden’s
allegations about the NSA
16

Proposed EU-US Privacy Shield
› Proposed framework released Feb. 2, 2016
› Companies regulated by FTC (or other qualifying
federal agency) must:
1. Publicly commit to adhere to the Privacy Principles
2. Disclose privacy policy
3. Implement the Privacy Principles
› Certifications must be renewed annually
17

EU-US Privacy Shield – Principles
› Notice –
• Participation in Privacy Shield
• Type of data collected
• Purposes for collection
• Third parties’ use and
disclosure of data
• Available recourse
› Choice –
• Opt out must be clear and
conspicuous
• Opt in required for sensitive
information
› Race/ethnicity
› Political opinions
› Religious beliefs
› Health information
› Trade union membership
› Sexual orientation
18

› Accountability for data transferred to third parties:
• Contracts with third parties must require the third party to
provide same level of privacy protection as the Principles
• Third parties’ use of data must be consistent with users’
consent
• Must take reasonable and appropriate steps to ensure vendors
uphold Principles
• Must be able to cease data transmission to stop and remediate
misuse of data
19

› Security –
• Required to “take reasonable
and appropriate measures” to
protect data from unauthorized
access, loss, disclosure,
alteration or destruction
› Measures taken should be
balanced with the risks
involved in the processing
and the nature of the
personal data
› Data Integrity –
• Limits collection of personal
information to that which is
relevant for the purpose of
processing
• Prohibited from processing
personal information that is
incompatible with the purposes
for which it has been collected
or subsequently authorized by
the individual
20

› Access –
• Must enable individuals to
correct, amend or delete
inaccurate personal information
unless burden or expense
outweighs risks to the
individual’s privacy
› Recourse, Enforcement and
Liability –
• Individuals must be provided
use of a third party dispute
resolution body, free of charge,
to investigate and resolve
complaints of violations
• Ultimately, disputes can be
resolved through binding
arbitration
• Organization may remain liable
for vendors’ violations unless
the organization proves it was
not at fault
21

EU-US Privacy Shield –
Not Approved Yet
› The EU’s representative bodies must still approve
the proposed text
› Recent encryption disputes concerning mobile
devices have threatened EU approval
22

The Encryption War & Smartphones
23

› All Writs Act - 1789
› Permits a court, in its
“sound judgment” to
issue orders necessary
“to achieve the rational
ends of law” and “the
ends of justice entrusted
to it.”
24

› “The implications of the
government’s demands are
chilling.”
• Install surveillance software
• Access health records and financial
data
• Track your location
• Access the phone’s microphone or
camera
25

› States are considering bans on devices that would ban the
sale of full-disk encryption of smartphones
› California’s bill:
• Purpose – combat human trafficking/San Bernardino
• Scope – any smartphone sold or leased in CA after January 1,
2017
• Penalty – $2,500/phone against manufacturer or operating
system provider
26

Potential hurdles against states’ efforts:
› Dormant Commerce Clause
› Preemption – ENCRYPT Act (H.R. 4528)
“It is clear to me that creating a pathway for decryption only
for good guys is technologically stupid. You just can’t do that”
Rep. Ted Lieu (D-Calif.)
27

FTC – Regulation of Unfair Cybersecurity
Practices
› FTC Act prohibits “unfair or deceptive acts or
practices in or affecting commerce.”
› Deception is typically tied to misrepresentations –
e.g., privacy policies
› FTC’s ability to regulate the fairness of
cybersecurity practices was affirmed in August 2015
28

FTC v. Wyndham Worldwide Corp.
› More than $10.6 million in fraudulent charges
› Three separate intrusions in two years
• First intrusion – used brute-force to obtain administrator’s
username and password, then installed malware
• Second intrusion – used administrative account and
installed malware again
• Third intrusion – accessed servers that should have been
segmented from the Internet
29

FTC v. Wyndham Worldwide Corp.
Alleged Security Flaws
› Payment card data stored in clear text
› Weak passwords/default passwords in environment
› Lacked firewalls at critical points in the network
› Failed to restrict specific IP addresses at all
› Lacked inventory of computers connected to the network
› Did not force security patches to connected computers
› Inadequate information security policies
› Did not limit duration of vendors’ access
› Failed to employ reasonable measures to detect and prevent unauthorized access
› Failed to follow proper incident response procedures – did not learn from prior
intrusions
30

FTC – What Are Fair Cybersecurity
Practices?
1) Start with security
2) Control access to data sensibly
3) Require secure passwords/authentication
4) Sensitive personal information should be secured
5) Segment the network and monitor traffic
6) Restrict remote access
7) Apply security practices in product development
8) Manage service providers’ security measures
9) Keep security current
10) Secure media and devices
31

Other Regulators Are Joining Cybersecurity
Chorus
1) Securities and Exchange Commission
• Assessing cybersecurity compliance and implementation is top
priority for 2016; recently issued $75,000 fine
2) Federal Communications Commission
• Issued nearly $26 million in fines in 2015 related to data
security practices
3) Consumer Financial Protection Bureau
• March 2, 2016 – levied $100,000 penalty for falsely advertising
that customer information was “safe” and “secure” and “PCI
compliant”
32

2016 Central Ohio InfoSec Summit
Cybersecurity Act of 2015 & Other Hot Privacy and
Cybersecurity Topics
Heather Enlow-Novitsky
henovitsky@vorys.com
614-464-6226
Chris Ingram
clingram@vorys.com
614-464-5480
March 30, 2016
33

Heather Enlow & Chris Ingram - Cybersecurity Act of 2015 and Other Hot Privacy and Cybersecurity Topics

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

En vedette

En vedette (20)

Similaire à Heather Enlow & Chris Ingram - Cybersecurity Act of 2015 and Other Hot Privacy and Cybersecurity Topics

Similaire à Heather Enlow & Chris Ingram - Cybersecurity Act of 2015 and Other Hot Privacy and Cybersecurity Topics (20)

Plus de centralohioissa

Plus de centralohioissa (20)

Dernier

Dernier (20)

Heather Enlow & Chris Ingram - Cybersecurity Act of 2015 and Other Hot Privacy and Cybersecurity Topics