1 / 29

The Information Security Legal Context

John R. Christiansen, J.D. Christiansen IT Law. Privacy/Security/Compliance. Privacy/Security/Compliance. 2212 Queen Anne Avenue North #333. Seattle, Washington 98109. 206.301.9412. john@christiansenlaw.net. The Information Security Legal Context. UW CIAC

valiant
Download Presentation

The Information Security Legal Context

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. John R. Christiansen, J.D. Christiansen IT Law Privacy/Security/Compliance Privacy/Security/Compliance 2212 Queen Anne Avenue North #333 Seattle, Washington 98109 206.301.9412 john@christiansenlaw.net The Information Security Legal Context UW CIAC Information Security and Risk Management in Context October 5, 2011

  2. Presenter Bio John R. Christiansen, J.D. - Christiansen IT Law Information Technology Law: Privacy, Security, Compliance and Risk Management, IT Development and Licensing • Advisor to U.S. Dep’t of Health and Human Services Offices of National Coordinator for Health Information Technology, and Civil Rights; Special Assistant Attorney General to Washington State Health Care Authority; IT counsel to technology companies, health care organizations, financial institutions and professional services firms • Chair, ABA HITECH Business Associates Task Force, 2009 – pres.; Committees on Healthcare Information Technology (2007 – 2009); Healthcare Privacy, Security and Information Technology (2004 – 06); Healthcare Informatics (2000 – 04); and PKI Assessment Guidelines Health Information Protection and Security Task Group (2000 – 2003) • Adjunct Faculty, University of Washington Information School and Advisory Board member, Center for Information Assurance and Cybersecurity • Publications include Legal Speed Bumps on the Road to Health Information Exchange, Journal of Health and Bioscience Law(2008); Using Safe Harbors to Reduce Legal Barriers to Implementation of Electronic Health Records and Health Information Networks, Shidler Journal of Law, Commerce and Technology (accepted 2007); An Integrated Standard of Care for Healthcare Information Security (2005); Electronic Health Information: Security and Privacy Compliance under HIPAA (2000); etc. (c) Christiansen IT Law 2011

  3. The Problems • Black Swans • Moral Panics • Reactive Regulators • Flighty Finance (c) Christiansen IT Law 2011

  4. The Problems • Unexpected negative events (Black Swans) cause • Public outrage and outcry (Moral Panics), which cause • Retrospective legal action (Reactive Regulators), causing • Investors, customers and business partners to flee (Flighty Finance) (c) Christiansen IT Law 2011

  5. What’s Law Got to Do With It? • Laws are tripwires: • Laws create jurisdiction to investigate and enforce • Very few proactive investigatory audits • Everyone can be found in violation of something • Government wants to do something • Enforcement becomes a retrospective investigation and penalty action • New legislation and regulations may ensue • Prolonged investigation, new laws trigger financial flight (c) Christiansen IT Law 2011

  6. Black Swans • “A black swan is a highly improbable event with three principal characteristics: it is unpredictable; it carries a massive impact; and, after the fact, we concoct an explanation that makes it appear less random, and more predictable, than it was.” • NassimTaleb • Black Swans are SOP in complex systems (c) Christiansen IT Law 2011

  7. Black Swans • Deepwater Horizon Blowout • 9/11 • The Morris Worm • DNS Cache Poisoning (Kaminsky) • Providence/Portland New Years Media Theft • California Comptroller Database Breach • Heartland Payment Hack (TJ Maxx) (c) Christiansen IT Law 2011

  8. Black Swans “There are known knowns. These are things we know that we know. There are known unknowns. That is to say, there are things that we know we don't know. But there are also unknown unknowns. There are things we don't know we don't know.” • Donald Rumsfeld (c) Christiansen IT Law 2011

  9. Moral Panics “The business of political operatives is horse trading in smoke-filled rooms. . . .This isn’t hypocrisy; this is management. . . . “Except, that is, for outbursts of the bizarre: scandal and terror. Sometimes everyday politics is disrupted by an advent so wicked and heinous, so beyond the pale, that it calls the whole system into question. . . . This is moral panic.” • Bruce Sterling (c) Christiansen IT Law 2011

  10. Moral Panics “. . . Moral panics are not always based on ‘The Big Lie.’ Instead, moral panics can take an existing problem of little or no consequence and turn it into an existential one to further a political agenda. Moral panics are not irrational acts by those who construct them, but rather are the result of deliberate political opportunism. . . .” • William Patry (c) Christiansen IT Law 2011

  11. Moral Panics • Satanic Abuse Cases (Wenatchee, McMartin Day Care, etc.) • The “Hacker Crackdown” • Cyberterrorism, Cyberwar (?) • Music Piracy • HIPAA Uniform Patient Identifier (c) Christiansen IT Law 2011

  12. Reactive Regulators • Richard Nixon and the Fair Information Protection Principles • Basis for EU Data Protection, HIPAA, GLBA, etc. • “Operation Sundevil” • SB 1386 (and its many progeny) • Defunding of HIPAA patient identifier work • Regulatory investigation and penalty actions against Providence (typical) • Payment Card Industry (PCI) standards and enforcement regime (c) Christiansen IT Law 2011

  13. Reactive Regulators • Presumption: Every major organization can be found in breach of some regulation • Almost all standards are risk-based: HIPAA, GLBA; PCI compensating controls; etc. • Good: Allows for necessary variation • Bad: More stringent additional or alternate safeguards can almost always be identified • Risk management is only as good as risk assessment – back to Black Swans and unknown unknowns • Risk analysis and management are judged harshly in retrospect: Hindsight is 20/20 (c) Christiansen IT Law 2011

  14. Reactive Regulators • Presumption: Every major organization can be found in breach of some regulation • Many organizations are subject to multiple overlapping regulations – can they be reconciled? • Some regulations have competing values – what is the “legally correct” balance between confidentiality and availability? • Risk assessment is always and only a snapshot – status at the time of observation • Hannaford Brothers (2008): Processor certified compliant one day after being notified of two month old malware operations (c) Christiansen IT Law 2011

  15. Flighty Finance • “Vulnerability disclosures do lead to a negative and significant change in market value for a software vendor. On average, a vendor loses around 0.6% value in stock price when a vulnerability is reported. This is equivalent to a loss in market capitalization values of $0.86 billion per vulnerability announcement.” • Telang & Wetal (2005) (c) Christiansen IT Law 2011

  16. Flighty Finance • “The most readily available metric, the share price of Heartland common stock, serves as a ready indicator of how the markets have responded to the incident and the company’s actions since.” • Kroger (2010) Before announcement: $15.16 Right after announcement: $8.18 Next SEC disclosure: $3.43 After remediation (several months): $10.43 (c) Christiansen IT Law 2011

  17. Flighty Finance • CardSystems • Intrusion compromised tens of millions of card numbers • Millions of dollars in fraudulent charges. In the wake of the breach • Thousands of credit cards canceled, re-issued • Mastercard and Visa terminated their contracts • CardSystems filed for bankruptcy (c) Christiansen IT Law 2011

  18. A Cautionary Tale • Oxford Health Plans (S.D.N.Y.) / Heller v. Oxford Health Plans et al. (D.Conn.) • Computer system upgrade initiated 1996 • Delays in generating billings, lost revenues • Processing failures made accurate accounting of revenues, expenses impossible • 11/96 – 10/97: Company officers filed SEC documents, made representations admitting but underplaying effects of problems (c) Christiansen IT Law 2011

  19. A Cautionary Tale • Oxford Health Plans (S.D.N.Y.) / Heller v. Oxford Health Plans et al. (D.Conn.) • Court ruled valid claims stated for: • Breach of fiduciary duty (officers) • Gross mismanagement (officers) • Waste (officers) • “Knowing or reckless disregard of lack of internal controls and ineffective computing system” (KPMG) • Settlement March 2003: $300 million (c) Christiansen IT Law 2011

  20. A Cautionary Tale • In re Caremark International, Inc. (Del. 1996) • Stockholder suit against Caremark board for breach of fiduciary duty in failing to supervise employees and institute measures to address company violations of antikickback laws • The “core element of any corporate law duty of care inquiry [is] whether there [was] a good faith effort to be informed and exercise judgment.” (c) Christiansen IT Law 2011

  21. A Cautionary Tale • In re Caremark International, Inc. (Del. 1996) • “[A] director’s obligation includes a duty to attempt in good faith to assure that a corporate information and reporting system, which the board concludes is adequate, exists, and that failure to do so under some circumstances may . . . Render a director liable for losses caused by noncompliance with applicable legal standards.” • “[L]iability to the corporation for a loss may be said to arise from an unconsidered failure of the board to act in circumstances in which due attention would, arguably, have prevented the loss.” (c) Christiansen IT Law 2011

  22. So What Do I Do? • Assume a security breach will happen to you • Help your C-Suite and Board understand this perspective • Avoid “minimalist” risk assessment and risk management • Be ready to respond – investigation, remediation, legal and public relations (c) Christiansen IT Law 2011

  23. So What Do I Do? • R is the risk level required for regulatory compliance. • C is the cost of the risk management program necessary to achieve and maintain regulatory compliance. • R’ is the more-stringent risk level to be achieved in order to prevent losses the organization is not willing or able to assume. • C’ is the greater cost of the risk management program necessary to achieve regulatory compliance as well as to prevent losses the organization is not willing or able to assume. (c) Christiansen IT Law 2011

  24. So What Do I Do? • Assume retrospective assessment would find a breach of some applicable law • Have legal counsel involved, do due diligence to minimize possible violations • Be ready to defend yourself • Be ready to find a scapegoat • Be ready to negotiate (c) Christiansen IT Law 2011

  25. Defensible Information Security Risk Management Board, CEO, CFO, General Counsel Senior Management Interaction with or Participation in Board Committees Cross-Organizational Team (Business Managers, HR, Legal, CPO, CSO, CIO/CISO) Facts About Processes, Technologies, Processes, Outputs, Events Operational Personnel (c) Christiansen IT Law 2011

  26. Defensible Information Security Risk Management Board, CEO, CFO, General Counsel Senior Management Interaction with or Participation in Board Committees Analyses of Financial, Operational, Legal Risk Implications of Facts Cross-Organizational Team (Business Managers, HR, Legal, CPO, CSO, CIO/CISO) Facts About Processes, Technologies, Processes, Outputs, Events Operational Personnel (c) Christiansen IT Law 2011

  27. Defensible Information Security Risk Management Board, CEO, CFO, General Counsel Reports on Analyses and Recommendations for Risk Strategies Senior Management Interaction with or Participation in Board Committees Analyses of Financial, Operational, Legal Risk Implications of Facts Cross-Organizational Team (Business Managers, HR, Legal, CPO, CSO, CIO/CISO) Facts About Processes, Technologies, Processes, Outputs, Events Operational Personnel (c) Christiansen IT Law 2011

  28. Defensible Information Security Risk Management Board, CEO, CFO, General Counsel Risk Acceptance and Risk Strategy Guidance Senior Management Interaction with or Participation in Board Committees Risk Management and Information Security Policies Cross-Organizational Team (Business Managers, HR, Legal, CPO, CSO, CIO/CISO) Information Security Program Policies, Procedures and Technical Solutions Operational Personnel (c) Christiansen IT Law 2011

  29. Questions? Thanks! (c) Christiansen IT Law 2011

More Related