cybersecurity: risks, responsibilities, corporate governance
DESCRIPTION
Cybersecurity: Risks, Responsibilities, Corporate Governance. Ed McNicholas [email protected] www.Sidley.com/Infolaw. Cybersecurity Outline. What does cybersecurity cover? Recent incidents that c ould worry companies - PowerPoint PPT PresentationTRANSCRIPT
BEIJING BRUSSELS CHICAGO DALLAS FRANKFURT GENEVA HONG KONG HOUSTON LONDON LOS ANGELES NEW YORK PALO ALTO SAN FRANCISCO SHANGHAI SINGAPORE SYDNEY TOKYO WASHINGTON, D.C.
Cybersecurity:Risks, Responsibilities, Corporate
GovernanceEd [email protected]
www.Sidley.com/Infolaw
Cybersecurity Outline• What does cybersecurity cover?• Recent incidents that could worry companies• Laws, regulations, policies and US Government
expectations on cybersecurity• Data security and data breach laws regarding personal
information• Enhancing cybersecurity governance and internal
controls • What should GCs do about legal exposure?
2
New York Times: “Universities Face a Rising Barrage of Cyberattacks”
July 16, 2013By RICHARD PÉREZ-PEÑA
• “America’s research universities, among the most open and robust centers of information exchange in the world, are increasingly coming under cyberattack, most of it thought to be from China, with millions of hacking attempts weekly. . . .”
• “University officials concede that some of the hacking attempts have succeeded. . .”
• “They acknowledge that they often do not learn of break-ins until much later, if ever, and that even after discovering the breaches they may not be able to tell what was taken. . .”
3
What Does Cybersecurity Cover?
4
Explaining Cybersecurity• “National security” dimension includes:
– Defense industrial base– Critical infrastructure (finance, communications, power,
food, supply chain transport, etc.)– Well-ordered functioning of society (government, police,
hospitals, commuting transport, schools, etc.)– Economic strength and competitiveness (business)
• Corporate IP, trade secrets and company data• Company websites, networks and databases
• “Data security” dimension includes:– Personal information of consumers, employees, etc.– Customer account information– Data breach notifications
5
What’s at Stake?• Valuable IP assets, proprietary information, business,
transaction and negotiating records, financial data, electronic funds, business functionality and continuity
• Account information; personal information; access to accounts• Disruption of business; denial of service; cyber-extortion• Derailed acquisition when deal team at law firm is hacked • Debilitating impact on critical infrastructure and essential
services• Communication systems• Supply chain management• SCADA (supervisory control and data acquisition):
– industrial control systems (ICS): computer systems that monitor and control industrial, infrastructure, or facility-based processes
6
What Data and Information Need Protecting?
• Students / Consumers• Employees• Account holders• Online advertising and e-commerce data • Credit cards• Company IP, secrets and networks• Transactional, negotiations and corporate records• Cross-border data• Corporate reputation
7
Who Could Hurt You?• Cyber-crooks• State-sponsored actors and foreign agents• Social hacktivists• Faithless insiders and former employees• Consumer activists• Careless colleagues not complying with policies• Colleagues bringing their own devices (BYOD)• Careless service providers and vendors• Competitors?
8
Who Wants to Hold You Accountable?• FTC, State AGs, CFPB, HHS/OCR, Education • SEC• White House, DHS, FBI• NLRB, unions, worker councils• Congress• Class action lawyers• Audit committees• Shareholders• Media• European regulators and “DPAs”
9
Some Recent Incidents that Could Worry Companies
10
Cyber-attacks Continue• March 2013: South Korean banks and broadcasters attacked (North
Korea suspected)• Feb. 2013: Facebook, Apple, Microsoft and Twitter disclose hacks;
250,000 Twitter user names/emails accessed• Feb. 2013: Federal Reserve Board hacked by Anonymous based on
vulnerability in vendor product• Feb. 2013: New York Times, Wall Street Journal, Washington Post
reveal penetration by China• Jan. 2013: DDOS attacks by Iran against JPMorgan, Bank of America,
Citigroup, etc.; Iran retaliation suspected• August 2012: 30,000 Saudi Aramco computers wiped clean of all
data by “Shamoon” virus; corporate logo replaced with burning American flag; Iran suspected
• May 2012: DHS announces ongoing, coordinated cyber attack on control systems of U.S. gas pipelines
• 2011, 2010: Flame and Stuxnet attack Iran (data extraction and SCADA)
Laws, Regulations, Policies and US Government Expectations
on Cybersecurity
12
The President on Cybersecurity• President Obama State of the Union (Feb. 2013):
– "We know hackers steal people’s identities and infiltrate private email. We know foreign countries and companies swipe our corporate secrets. Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions and our air traffic control systems.”
– “We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy.”
• The “cyber threat is one of the most serious economic and national security challenges we face as a nation…America's economic prosperity in the 21st century will depend on cybersecurity”
13
US Perspectives on Cybersecurity• “Foreign collectors of sensitive
economic information are able to operate in cyberspace with relatively little risk of detection by their private sector targets.”
• “Cyber tools have enhanced the economic espionage threat, and the Intelligence Community (IC) judges the use of such tools is already a larger threat than more traditional espionage methods.”
• “Sensitive US economic information and technology are targeted by the intelligence services, private sector companies, academic and research institutions, and citizens of dozens of countries [especially China and Russia].”
14
Report from the Office of National Counterintelligence
Executive (NCIX), October 2011
Cybersecurity Executive Order 13636 and Directive (Feb. 12, 2013)
• Congressional stalemate led to Executive Order 13636:– Development of NIST “Cybersecurity Framework” and programs to
encourage voluntary adoption of the framework– DHS designation of CI companies (with right of reconsideration)– Creation of regulatory standards by agencies with statutory authority– Increased threat information sharing to CI operators
• Directive (Feb. 12, 2013) names 16 critical infrastructure areas– CI sectors and their designated SSAs are: Chemical (DHS); Commercial Facilities
(DHS); Communications (DHS); Critical Manufacturing (DHS); Dams (DHS); Defense Industrial Base (DoD); Emergency Services (DHS); Energy (Department of Energy); Financial Services (Treasury); Food and Agriculture (Department of Agriculture (USDA) and Department of Health and Human Services (HHS)); Government Facilities (DHS and General Services Administration); Healthcare and Public Health (HHS); Information Technology (DHS); Nuclear Reactors, Materials, and Waste (DHS); Transportation Systems (DHS and Department of Transportation); and Water and Wastewater Systems (Environmental Protection Agency)
15
Primary (Existing) Enforcement Statutes
• Computer Fraud and Abuse Act of 1984 (CFAA)– Prohibits certain attacks on computer systems used in
interstate and foreign commerce– Criminal and civil penalties for unauthorized access and
wrongful use of computers and networks• Electronic Communications Privacy Act of 1986
(ECPA) – Prohibits interception of wire, oral, or electronic
communications unless an exception applies– Establishes rules that law enforcement must follow to
access data stored by service providers (ECS and RCS), e.g., search warrants, court orders and subpoenas
16
SEC Cybersecurity Guidance• Corporation Finance guidance issued Oct. 13, 2011 (in
response to Sen. Rockefeller)– 4/9/13: New Rockefeller letter seeking formal rules
• Guidance characterizes cyber-attacks as targeting:– Financial assets, intellectual property, other sensitive
information – Customer or business partner data – Disruption of business operations
• Disclose cyber-risks if: they “are among the most significant factors that make an investment in the company speculative or risky” – Frequency of prior incidents; probability and potential
harm of future incidents– Avoid generic language
17
SEC Guidance• Determine cybersecurity risks based on
frequency of prior incidents and probability and potential harm of future incidents
• “[A]dequately describe the nature of the material risk and specify how each risk affects the registrant,” avoiding generic language
• At least 21 Dow 30 companies discussed cybersecurity or data breaches in their 2011 Form 10-K risk factor disclosures
18
SEC Cyber-Comment Letters • In 2012, following hack of Amazon’s Zappos servers
(involving theft of 24 million customer names and e-mails), SEC asked Amazon to “expand [cybersecurity] risk factor to disclose that you have experienced cyber-attacks and breaches” and “to describe [risks of] third-party technology and systems” – SEC had disagreed with Amazon’s view that hack was
not significant enough to be covered by SEC Cybersecurity Guidance
• Google, AIG, Hartford Financial Services Group, Eastman Chemical, and Quest Diagnostics were also asked by SEC in 2012 to expand cybersecurity disclosures
19
Federal Financial Institutions Examination Council
• 2011 Supplement Guidance specifically targeting cyber security:– Enhanced risk assessments: banks should update risk assessments
at least annually– Layered security controls: should not rely on static challenge
questions to protect customer data. Layered security measures should be implemented based on the dollar amount and complexity of the transaction
– Fraud detection and monitoring: Fraud detection measures can be manual or electronic. People, processes or platforms can be used to detect anomalies
– Out of band transaction confirmation: additional layer of security by having the authorization come from outside the channel where the transaction originated
– Heightened education initiatives: Many security breaches can be avoided simply by educating the relevant parties in how to prevent and detect security breaches. Special attention was given to customer education
20
Data Security and Data Breach Laws on Personal
Information
21
Data Breach and Data Security Laws• State data breach notification laws re: personal information
– 46 states, DC, Puerto Rico, the Virgin Islands, and Guam have breach notification requirements
– Some states require prompt reporting to government agencies (e.g. Puerto Rico: 10 days; VT: 14 business days)
– Triggers vary from “risk of harm,” to “compromise,” to mere acquisition of data
• State data security laws re: personal information– E.g., Massachusetts requires comprehensive written
information security plan with specific, detailed requirements• Federal requirements regarding safeguarding personal
information and responding to data breaches– Communications Act, GLBA, HIPAA – Federal data breach legislation possible
22
Enhancing Cybersecurity Governance and Internal
Controls
23
Data Security: On the Corporate Radar?
• FTI Consulting/Corporate Board Member Survey:– Data security is a top legal concern in 2012 for both
Directors and General Counsel• The percentage of Directors and GCs concerned re: data security
has doubled since 2008– The median annualized cost of cyber-crime per company
averaged $5.9 million– But: only 42 percent of survey participants said their company
had a data crisis management plan in place
24
Corporate Practices on Cybersecurity: Report Suggests Lack of Board Involvement
Boards of Financial Sector Companies– 42% rarely or never review annual privacy/security budgets– 39% rarely or never review roles and responsibilities– 56% do not actively address computer/information security – 52% do not review cyber insurance
25
Governance of Enterprise Security: CyLab 2012 Report
Enhance Board/CEO Attention• Review and refine information governance structure
– Assign distinct board committee responsibility for cybersecurity, data protection and information privacy; establish expectations for management; require ongoing reporting regarding information risks and controls; review top-level policies
– Assign C-level management responsibility, accountability and reporting obligations; provide adequate budget and operational resources; authorize involvement in industry/government information sharing
– Consider appointing CISO (chief information security officer) and CPO (chief privacy officer)
– Develop and approve appropriate cybersecurity protocols and safeguards; increase internal awareness
• Evaluate cyber-insurance coverage26
Enhance Board/CEO Attention – cont’d• Develop cybersecurity and data protection risk assessment
– Understand system and network vulnerabilities; plan for possible “persistent” threats
– Understand exposure of essential or valuable information and communication assets
– Understand exposure to third parties and service providers (includes cloud providers and law firms)
– Consider possible counter-measures to disrupt attacks• Monitor legislative, policy, industry, contractual, litigation,
marketplace, consumer and employee developments and expectations– Address legal compliance and reporting responsibilities– Consider SEC issues
• Engage IT and audit experts; test systems27
What Should General Counsels Do About Legal
Exposure?
28
Managing Cyber Risks• Commission and review risk assessments• Identify legal and business obligations• Monitor legal and policy developments• Address participation in industry and private
sector initiatives– DHS’ US CERT Coordination Center (CERT/CC) – Information Sharing and Analysis Centers (ISACs)– Current ISACs by sector: communications, financial
services, electricity, IT, surface transportation, public transit, water, multi-state
– Goals: risk mitigation, incident response, alert and information-sharing
29
Managing Cyber Risks -- Cont’d• Develop cooperative relationship with key regulators
for optimal information sharing• Examine incident response and notification
procedures• Prepare for involvement of law enforcement/FBI/DHS• Inform investors of materiality of cybersecurity risks• Prepare for technical and legal responses• Identify resources in advance• Ensure appropriate insurance• Report regularly and follow-up at Board and CEO level
30
Lawyer To-Do List For Cybersecurity Overall legal compliance Oversight and readiness for incident response
Have you vetted and tested your response ability? Analyzing and explaining the complex legal environment Coordination of relationships with government Development of standards and internal policies
Does your organization learn lessons? Managing protections and obligations in contracts,
customer and vendor relationships Assessing insurance options and protections Addressing “Hack Back” options Managing legal/reputational issues
Fourth Amendment: Corporate agents of the government? Privilege and selective waivers Securities issues
31
Cybersecurity Insurance• SEC Guidance: “[d]escription of relevant insurance coverage.” • Most commercial insurance does not cover cyber. • Cybersecurity insurance fall into two categories:
– First-party coverage for damages directly associated with intellectual property theft, data loss and destruction, hacking, and denial-of-service attacks, including the immediate technical and forensic expenses
– Third-party coverage for public relations services, legal expenses arising from lawsuits brought by customers or third-party businesses, credit-monitoring for affected individuals, and associated penalties and fines
• Insurers require sufficient documentation or audits demonstrating that technology solutions have been implemented.
• Discounts to those who are better secured.
32
Costs of Intrusion
• Investigation, forensic and audit services• Notification costs, compliance with regulatory
requirements, outside experts and analysis• Legal response and defense costs• Lost business and reputation • Post-breach costs for remediation costs, etc.• Reputation restoration
33
Responding to an Incident• Effectuate IT containment and triage• Assess nature of attack; IP assets; trade secrets;
financial; customer data; denial of service; geopolitical; hacktivists
• Determine affected systems and targeted data; gauge possible exfiltration; address persistent threats
• Involve outside counsel and forensic IT consultants?• Identify and notify stakeholders?• Consult government; national security; law
enforcement; homeland security?• Assess liabilities, legal compliance, contract
obligations, SEC reporting, insurance, etc.• Evaluate existing control systems, responsibility and
accountability; implement lessons learned34
FBI Visit on APT• “Advanced Persistent Threat” attack on defense contractor:
not detectable through normal scans• FBI initiated contact to inform re evidence of penetration
and possible exfiltration of data– Communications to suspected server
• State-sponsored intrusion (no national state attribution)• Likely cause: spear phishing malware
– Downloads attack tools– Communicates with malware repository– Compromise domain controllers; escalate credentials– .exe files renamed; file headers show executable nature– .rar files used for compression
• Forensic measures: DNS server logging; full packet capture; firewall logs
35
Litigation Exposure• Failure to safeguard could expose boards to shareholder
suits alleging negligence or breach of fiduciary duty– Delaware Caremark decision: duty of care to establish
information control systems for reporting and oversight of legal compliance and ethics
• Patco Construction Co. v. People’s United Bank (1st Cir. 2012).– Bank sued after transferring $345,000 to cyber criminal – Court held that defendant’s security procedures were
“commercially unreasonable; court relied upon FFIEC standards
• Lawsuits faced by: ChoicePoint, Heartland Payment Systems, Hannaford, Amazon/Zappos, Sony, etc.
36
TJX (2007)• Hackers stole 45 million customer records over 18
months • Breach reported to cost up to $1.6 billion• Banks and Massachusetts Bankers Association (MBA)
sued ($41 million settlement)• State AG settlement (41 states) for $9.75 million
– Agreed to implement stringent data security program – CA AG Coakley: settlement “ensures that companies
cannot write-off the risk of a data breach as a cost of doing business”
• Consumer action settled by offering $30 cash or $60 voucher for three years of credit monitoring, plus cost of replacing driver’s license
37
Sidley Austin LLP, a Delaware limited liability partnership which operates at the firm’s offices other than Chicago, New York, Los Angeles, San Francisco, Palo Alto, Dallas, London, Hong Kong, Houston, Singapore and Sydney, is affiliated with other partnerships, including Sidley Austin LLP, an Illinois limited liability partnership (Chicago); Sidley Austin (NY) LLP, a Delaware limited liability partnership (New York); Sidley Austin (CA) LLP, a Delaware limited liability partnership (Los Angeles, San Francisco, Palo Alto); Sidley Austin (TX) LLP, a Delaware limited liability partnership (Dallas, Houston); Sidley Austin LLP, a separate Delaware limited liability partnership (London); Sidley Austin LLP, a separate Delaware limited liability partnership (Singapore); Sidley Austin, a New York general partnership (Hong Kong); Sidley Austin, a Delaware general partnership of registered foreign lawyers restricted to practicing foreign law (Sydney); and Sidley Austin Nishikawa Foreign Law Joint Enterprise (Tokyo). The affiliated partnerships are referred to herein collectively as Sidley Austin, Sidley, or the firm.For purposes of compliance with New York State Bar rules, Sidley Austin LLP’s headquarters are 787 Seventh Avenue, New York, NY 10019, 212.839.5300 and One South Dearborn, Chicago, IL 60603, 312.853.7000.
Questions?
Edward McNicholas: 202-736-8010 [email protected]
www.Sidley.com/InfoLaw This presentation has been prepared by Sidley Austin LLP as of July 30, 2013 for educational and
informational purposes only. It does not constitute legal advice. This information is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. Readers should not act upon
this without seeking personalized advice from professional advisers.BEIJING BRUSSELS CHICAGO DALLAS FRANKFURT GENEVA HONG KONG HOUSTON LONDON LOS ANGELES NEW YORK PALO ALTO SAN FRANCISCO SHANGHAI SINGAPORE SYDNEY TOKYO WASHINGTON, D.C.
EDWARD R. MCNICHOLAS Partner
Washington, DC +1.202.736.8010 +1.202.736.8711 Fax [email protected]
PRACTI CES Privacy, Data Security and Information Law Complex Commercial Litigation Appellate
EDUCATI ON Harvard Law School
(J .D., 1996, cum laude, Harvard Law Review Editor) Princeton University
(A.B., 1991, summa cum laude, Phi Beta Kappa)
CLERKSHI PS U.S. Court of Appeals, 4th Circuit, Paul V. Niemeyer
EDWARD R. MCNICHOLAS is a partner in the Washington, D.C., office of the international law firm Sidley Austin LLP and a global coordinator of its Privacy, Data Security, and Information Law practice. His practice focuses on clients facing complex information technology, constitutional and privacy issues in civil and white-collar criminal matters.
Mr. McNicholas has significant experience with a wide-range of cutting-edge Internet and information law matters involving privacy and data protection, electronic surveillance, information security, cloud computing, trade secrets, social media, locational privacy, e-commerce, copyright, defamation, online brand protection, e-discovery, and national security. Mr. McNicholas and Sidley’s Privacy and Data Security practice were selected for Chambers USA: America’s Leading Lawyers for Business for 2008-2013 as well as Chambers Global for 2010-2013, the 2011-2012 Legal 500, and The International Who's Who of Internet, e-Commerce & Data Protection Lawyers 2011-2012. Chambers USA (2013) notes that Mr. McNicholas “wins praise for his ‘depth of experience and ability to bring technology issues together to provide information we can act on.’” Super Lawyers (2013) ranks him in Information Technology. He has also been recognized in Computerworld survey of “Best Privacy Advisers” as one of the “Top 25 Privacy Experts” in the country, and Chambers USA 2010-2011 also separately recognized Mr. McNicholas in nationwide litigation rankings for e-discovery.
Mr. McNicholas previously served as an Associate Counsel to President Clinton. In that capacity, he advised senior White House staff regarding various Independent Counsel, congressional and grand jury investigations. He also previously served as a desk officer at the U.S. Office of Government Ethics, where he helped national defense and intelligence agencies establish effective compliance programs.