1 / 27

EEI : Cybersecurity Law Conference

EEI : Cybersecurity Law Conference. Lisa J. Sotto Hunton & Williams LLP (212) 309-1223 lsotto@hunton.com www.huntonprivacyblog.com October 24, 2014. Paul M. Tiao Hunton & Williams LLP ( 202) 955-1618 ptiao@hunton.com. The Privacy and Cybersecurity Team at Hunton & Williams.

Download Presentation

EEI : Cybersecurity Law Conference

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. EEI: Cybersecurity Law Conference Lisa J. Sotto Hunton & Williams LLP (212) 309-1223 lsotto@hunton.com www.huntonprivacyblog.com October 24, 2014 Paul M. Tiao Hunton & Williams LLP (202) 955-1618ptiao@hunton.com

  2. The Privacy and Cybersecurity Teamat Hunton & Williams • Over 25 privacy professionals in the U.S., EU and Asia • Our privacy clients have included 6 of the Fortune 10 • Representing clients across multiple industry sectors, including energy, retail, transportation, consumer products, publishing, financial services, technology, advertising, health care and pharmaceutical • Centre for Information Policy Leadership at Hunton & Williams • www.HuntonPrivacyBlog.com • @hunton_privacy

  3. Roadmap • Introduction • Cyber Threat Landscape – Setting the Stage • The Legal and Policy Environment • U.S. • EU • Lessons Learned

  4. A Sampling of Recent Global Headlines 5 3 1 May 2014 April 2014 7 August 2013 May 2014 French Telco reports 2nd breach in past several months Heartbleed bug announced – related breaches uncovered Another wave of DDOS attacks on Financial Institutions launched but deemed to have little impact Ebay Breach – investigations in the US and UK anticipated 2 6 December / January 2013 May 2014 4 April 2014 Target CEO resigns; the company’s breach response cited as a contributing factor Several U.S. retailers and a UK announce significant credit card breaches Worst data breach in German history identified; 18+ million email passwords compromised

  5. The Cyber Threat Landscape • Threat Actors • Threat Vectors • Targeted Information and Systems

  6. A Year In Review • Recent Compromises • Target • Neiman Marcus • Michaels • The UPS Store • Goodwill • The Home Depot • JPMorgan Chase • Recent Government Activity • Congressional inquiries • Calls for FTC action • PLA indictment

  7. Legislative and Policy Environment • Congressional attempts to pass cybersecurity legislation • Numerous efforts to pass a cybersecurity law • Key legislative issues • Failure to pass legislation in 2012 provided impetus for the 2013 Executive Order on Improving Critical Infrastructure Cybersecurity

  8. Executive Order on Improving Critical Infrastructure Cybersecurity • Cybersecurity Framework • Voluntary program, including incentives • Information sharing • Identification of critical infrastructure for which a cybersecurity attack could have catastrophic effects • Agencies to determine whether existing regulations are sufficient and take regulatory action to address deficiencies • Use of the federal procurement process to encourage contractors to enhance information security practices • Consideration of privacy and civil liberties issues

  9. Cybersecurity Framework • NIST published final version of Cybersecurity Framework on Feb. 12, 2014 • Framework Core • Implementation Tiers • Framework Profile • Privacy appendix in preliminary Framework (Oct. 2013) stricken from final • Extensive public input • Five widely-attended workshops • Request for Information • Many comments on the preliminary version of the Framework • Likely benchmark in regulatory, enforcement and litigation context • Future workshops and versions

  10. A Life-Cycle Methodology

  11. Function Categories • 6 Functions, 22 Categories, 98 Sub Categories • Identify – Asset management, business environment, governance, risk assessment, risk management • Protect – Access control, awareness & training, data security, process & procedures, maintenance, protective technologies • Detect – Anomalies & events, continuous monitoring, detection processes • Respond – Response planning, communications, analysis, mitigation, improvement • Recover - Recovery planning, improvements, communications

  12. Framework Profile * This same roadmap visualization can be applied to the categories and sub-categories within each function.

  13. Electric Utility Issues • Industrial Control Systems • Smart Grid • Information Sharing Groups • Electricity Subsector ISAC • Downstream Natural Gas ISAC • Cyber insurance for operational technology

  14. Federal Agency Information-Sharing Programs • DHS • National Cybersecurity and Communications Integration Center (NCCIC) • US-CERT • ICS-CERT • Cybersecurity Information Sharing and Collaboration Program (CISCP) • FBI • Cyber Division & FBI Field Offices • National Cyber Investigative Joint Task Force • National Cyber and Forensics Training Alliance • Domestic Security Alliance Council • InfraGard • DOE • Cybersecurity Risk Information Sharing Program (CRISP)

  15. Public-Private Information Sharing Issues • Standard Agreements • DHS Cooperative Research and Development Agreement • FBI Memorandum of Agreement and Non-Disclosure Agreements • Information sharing rules and procedures • Information handling restrictions • Protection from disclosure under FOIA • Implications for regulatory enforcement • Prosecutorial implications • Privacy risks

  16. Data Security Rules • Federal Law • FTC Act • Gramm-Leach-Bliley • HIPAA/HITECH • FACTA Disposal Rule • State Requirements • MA, NV, CA and progeny • Breach notification laws • Industry Standards • PCI DSS • ISO • NIST

  17. Utility-Specific Cybersecurity Requirements • Version 5 Critical Infrastructure Protection Reliability Standards • Expanded scope of covered cyber systems • Categorization of systems by impact on reliability • Enforcement date – April 2016 • NERC Physical Security Standards

  18. Legal Obligations • Understand your legal obligations arising out of a cyber event • Breach notification and other obligations • State, federal, international law • Industry standards • Contractual obligations • SEC reporting

  19. State Breach Notification Requirements • Generally, the duty to notify arises when unencrypted computerized “personal information” was acquired or accessed by an unauthorized person • “Personal information” generally is an individual’s name plus: • Social Security number • Driver’s license / state ID card number or • Account, credit or debit card number, along with password or access code • Service providers must notify data owners of security breaches and some states require “cooperation” with the data owner

  20. Variations in State Breach Laws • Definition of PI • Computerized v. paper data • Notification to state agencies • Notification to CRAs • Timing of individual notification • Harm threshold • Content of notification letter • Preemption • New CA requirements

  21. SEC Cybersecurity Guidance • Companies are not disclosing enough • The SEC is cracking down • Vast majority of companies that did address cyber issues used only boilerplate language • Some hacking victims said nothing • Disclosures often don’t give a genuine sense of the risk • Cyber attacks are included as one of many potentially catastrophic events

  22. SEC Enforcement Efforts • SEC is now formally investigating companies’ cyber disclosures • Focused on whether investors appropriately informed • Probes are not public • Target is reported to be facing scrutiny • Prospect of enforcement actions

  23. EU Cybersecurity: Regulatory Efforts • On February 7, 2013, the EC issued a draft directive on cybersecurity • Once adopted, member states will have 18 months to implement the Directive • The aim of the Directive is to • Achieve European cyber resilience • Drastically reduce European cybercrime • Develop common European cyber defense policies and resources • Establish a coherent European cyberspace policy and promote core EU values • The Directive would require EU competent authorities to cooperate, share information, and coordinate responses

  24. EU Cybersecurity: Breach Reporting • The Directive would require companies in “critical” sectors to adopt strict network security standards and report “significant” cybersecurity incidents • The proposals encompass a broad section of industry sectors, including non-essential services such as YouTube and Spotify • The proposals do not clearly distinguish between targeted cybersecurity incidents and other types of breaches • The breach reporting requirements are not harmonized with existing and anticipated breach reporting requirements under the EU E-Privacy Directive and the proposed EU General Data Protection Regulation

  25. Global Breach Notification Requirements • Breach notification requirements and guidance emerging across the world • 30+ countries outside the U.S. now require or strongly recommend notification • Federal and provincial standards in Canada • Several countries in Europe (including Germany) • All major countries in Asia and Oceania (including Australia, Hong Kong, India)

  26. Data Breach Response Timeline 1 2 3 4 5 6 7 8 9 10 11

  27. Lisa J. Sotto Partner Chair, Privacy and Cybersecurity Practice Hunton & Williams LLP (212) 309-1223 lsotto@hunton.com Paul M. Tiao Partner Hunton & Williams LLP (202) 955-1618ptiao@hunton.com

More Related