Advanced Persistent Legal Threats

Some Hackers Wear Suits not Hoodies

APLT

Consequences of a breach

•a) Data lost or unavailable – Restore Backup•b) Intellectual Property could be stolen – Sue for patent infringement•c) Customer's data could be stolen – Compensate your customers•d) Extortion – Come clean and apologize

Economics of Regulation FCPA

•1. Siemens (Germany): $800 million in 2008.•2. Alstom (France): $772 million in 2014.•3. KBR / Halliburton (USA): $579 million in 2009.•4. BAE (UK): $400 million in 2010.•5. Total SA (France) $398 million in 2013.•6. VimpelCom (Holland) $397.6 million in 2016.

Legal Risk

• Regulatory• Fines• Sanctions

• Civil Law Suit• Tort Liability

• Negligence• Standard of Care

• Contract• Criminal

Regulatory Tribbles

Regulatory Risk

• SEC Securities and Exchange Commission• OIG Office of Inspector General• NCUA National Credit Union Association• FFIEC Federal Financial Institutions Examination Council• FINRA Financial Industry Regulatory Authority• CFPB Consumer Financial Protection Bureau• FTC Federal Trade Commission• FCC Federal Communications Commission• FDIC Federal Deposit Insurance Corporation• NAIC National Association of Insurance Commissioners

Fine Inflation

HIPAA• 1. Advocate Health System (IL): $5.55 million 2016• 2. NewYork-Presbyterian Hospital and Columbia

University (NY): $4.8 million 2014• 3. Cignet Health (MD): $4.3 million 2011• 4. Triple-S (PR): $3.5 million 2015• 5. University of Mississippi Medical Center (MI): $2.75

million 2016

Spokeo

Home Depot Target Settlements

Product Liability

• Cars gone wild• Privacy – Refrigerator send

naughty pictures to YouTube• Medical Devices – • Supply Chain China

Medical Devices

Internet of Things (IoT) Projected Market

Standard of Care NIST 800 - 183

• Through 2018 50% of IoT device manufacturers will not be able to address threats from weak authentication practices.• By 2020, more than 25% of identified enterprise attacks will involve IoT,

though IoT will account for only 10% of IT security budgets.”• By 2020, a third of successful attacks experienced by enterprises will be

on their shadow IT resources.”• By 2018, the need to prevent data breaches from public clouds will drive

20% of organizations to develop data security governance programs

Risk Transfer - Insurance

Cloud Contracts

1. Cost 2. Service Levels3. Compliance 4. Security 5. eDiscovery 6. Intellectual Property7. Indemnification 8. Limitations of Damages 9. Term, Renewal, Modification

eDiscovery

US Europe

GDPR - General Data Protection Regulation

• Jurisdiction• Companies offering of goods or services to data subjects

(individuals) in the EU or the monitoring of their behavior. Could be quite small• Processors and Controllers

• Effective Date - May 25, 2018, • Compliance Framework – Probably ISO 27001• Data Protected - PII• Privacy Shield – self certification with Department of Commerce

GDPR Rights

1.The right to be informed2.The right of access3.The right to rectification4.The right to erasure5.The right to restrict processing6.The right to data portability7.The right to object8.Rights in relation to automated decision making and profiling.

GDPR – DPO Data Protection Officer

• expert knowledge of both data protection law and technology• managing internal data protection activities• notifications of data breaches for cyber incidents• manage the outsourcing of data processing activities including the use

of third party vendors for HR, IT and marketing• Working with the firm’s designated supervisory authority• They are also protected from dismissal• Report to the highest level of management

EU Cloud Contracts

SLALOM (Service Level Agreement Legal and Open Model) • Simple drafting • Fair and balanced • Flexible universal starting point – great starting point for

negotiations• Consistency • ISO compliant

EU Internet of Things Regulations

•Data on the device is PII• Processing Data will require consent•Device manufacturers, social platforms, third party app

developers, other third parties will be considered controllers or processors• Everyone will have to carry out Privacy Impact Assessments

and implement Privacy by Design and Privacy by Default solutions

State Law

• Breach Notification• FinTech Regulation• New York Department of Financial Services • Third Parties Mandatory Audits, Warranties• Mandatory Training• CISO• Mandatory multi-factor authentication for access to internal systems • Data Retention Policies• Breach notification 72 hour rule

China

According to China’s Foreign Ministry

“China's pending cyber security law will not create obstacles for foreign business”

Deterring Criminal Behavior

• Law and Economics Analysis• Expected Costs > Expected Benefit• Costs• Probability of getting caught - small• Severity of the punishment - small

• Benefits - Huge

Business Model

• Third Party• Credit Cards• Bank Account Information• Tax Identification Numbers

• Direct• Ransomware• Extortion• Business Email Compromise" ("BEC”) Fraud e.g. Wire Transfers• Actionable Financial Information (Insider Information)• Intellectual Property • Industrial Espionage

Change

•Change in the Technology•Change in the law and the regulatory environment•Both will be fed by changes in the politics and economics

I wasn’t there, I didn’t do it, I can’t remember and I deny everything

• The information in this lecture is for informational purposes only and do not constitute legal advice. These materials are intended, but not promised or guaranteed to be current, complete, or up-to-date and should in no way be taken as an indication of future results. The information and articles on this website are offered only for general informational and educational purposes. They are not offered as and do not constitute legal advice or legal opinions. You should not act or rely on any information contained in this website without first seeking the advice of an attorney.