Information Protection and Data Security Current Projected Issues

Information Protection and Data Security: Current & Projected Issues William J. Cook National Science Foundation

Bill Cook Information Protection and Data Security: Current & Projected Issues » Partner, Wildman Harrold, Chicago » Intellectual Property, Internet and Web law (Business Continuity and Security) » Chicago IMNA Board Member, Immediate Past President » Former Head of US DOJ Computer Crime Task Force; Counter-Espionage » Protection of intellectual Coordinator and Counterproperty, application of security Terrorist Coordinator; DOJ standards, assessing corporate FEMA Coordinator liability (Chicago) » 90 trials » NRC Committee on Critical » Expert presentations on Infrastructure Protection and Internet liability before U. S. the Law House Judiciary Comm. , GAO, FCC, Infragard WILDMAN HARROLD | ATTORNEYS AND COUNSELORS February 21, 2007 2

Research Lab Intrusion Information Protection and Data Security: Current & Projected Issues » Proof of theft » Value of stolen data » Estimated market » R&D Costs – members of technical staff » How good a witness are you? » Policies and practices WILDMAN HARROLD | ATTORNEYS AND COUNSELORS February 21, 2007 3

Offsite work Information Protection and Data Security: Current & Projected Issues » » » Controlled environment Scope Network access Authorization scope Search WILDMAN HARROLD | ATTORNEYS AND COUNSELORS February 21, 2007 4

Liability From Stolen Computers Information Protection and Data Security: Current & Projected Issues » Lime Wire » Contents protection » Database of health information, personal credit cards and other personal information missing » Vendor forced to meet ISO 17799 and corporate standards » Prepared and oversaw E&Y ISO 17799 security audit and evaluated compensating controls » Negotiated vendor contract changes and remediation » Rewrote security provisions for vendor contracts WILDMAN HARROLD | ATTORNEYS AND COUNSELORS February 21, 2007 5

Case Study 2 –Trade Secret Theft by Defecting CEO Information Protection and Data Security: Current & Projected Issues » CEO and 5 key employees left ecommerce client with trade secret information to start up competing company » Actions taken: » Immediately walled off data at new employer » Checked client’s records for data transfers » Forced forensic analysis of departed hard drives to locate stolen information » Evaluated Economic Espionage Act referral » Opponents clearly understood liability and embarrassment if they did not cooperate » Used threat of litigation to achieve client’s business strategy without actually having to go to court » Negotiated return of all data and essentially shut down potential competitor WILDMAN HARROLD | ATTORNEYS AND COUNSELORS February 21, 2007 6

Case Study 3 – Justifying Competitive Intelligence Gathering Information Protection and Data Security: Current & Projected Issues » Client’s President accessed competitor’s FTP site and obtained customer lists, vendor price lists, source code » Criminal and civil actions filed against Client at the same time as FBI search of corporate offices » Actions taken: » Conducted internal investigation » Represented Company to FBI and DOJ » All charges dropped and declination letter received » Successfully countered civil action by analysis of competitor’s security practices, FTP site permissions and actual practices » Assisted in PR response WILDMAN HARROLD | ATTORNEYS AND COUNSELORS February 21, 2007 7

William J. Cook Information Protection and Data Security: Current & Projected Issues 225 W. Wacker Dr. Chicago, Il. 60606 312. 201. 2399 cook@wildmanharrold. com WILDMAN HARROLD | ATTORNEYS AND COUNSELORS February 21, 2007 8

Observations Information Protection and Data Security: Current & Projected Issues » Continued Russian intrusions into financial community » Credit cards » Online trading accounts » Expect increased Iranian & Chinese involvement » Take advantage of credit card association misdirection » Industrial espionage » Current & former employees » Vendor attacks and negligence » Competitors » Privacy initiatives v. crisis response » VOIP » Legal speed WILDMAN HARROLD | ATTORNEYS AND COUNSELORS February 21, 2007 9

Legal Approach to Information Security Information Protection and Data Security: Current & Projected Issues » The problem – near total corporate reliance on electronic information creates a major potential vulnerability that can adversely affect all stakeholders » The response – developing law addresses the security of this information in three ways: » » » It protects the security of your corporate information assets It imposes security obligations and liability on your business It gives you some legal benefits for implementing security WILDMAN HARROLD | ATTORNEYS AND COUNSELORS February 21, 2007 10

Information Security Obligations – Key Trends Information Protection and Data Security: Current & Projected Issues » Rapid expansion of corporate legal obligations » Newly developing law is: » Imposing a general duty to provide security » Defining the legal requirements for “reasonable security” » Raising liability to the executive office » Imposing a duty to notify of breaches WILDMAN HARROLD | ATTORNEYS AND COUNSELORS February 21, 2007 11

Key Trend Duty to Provide Security for Information Protection and Data Security: Current & Projected Issues » Major trend driven by expansion of privacy law » Expanding across all industries » Not just financial and healthcare sectors » Impact on range of corporate deals » Applies to most corporate data » Not just personal data » Also financial, transactional, tax, confidential, etc. » It is all about protecting the stakeholders » Shareholders / investors, employees, customers and prospects, interests of regulatory agencies, unrelated third parties, national interests WILDMAN HARROLD | ATTORNEYS AND COUNSELORS February 21, 2007 12

Sources of Security Obligations Information Protection and Data Security: Current & Projected Issues » Many sources, no single law or regulation » U. S. Federal laws and regulations » Electronic records generally – E-SIGN » Financial records – Sarbanes-Oxley » Tax records – IRS » Other records – SEC, FDA, HHS, etc. » Personal information » GLBA (financial industry) » HIPAA (healthcare records) » COPPA (children) » Safe Harbor (EU source data) » FTC Section 5 (all industries) WILDMAN HARROLD | ATTORNEYS AND COUNSELORS February 21, 2007 13

Sources of Security Obligations Information Protection and Data Security: Current & Projected Issues » State laws and regulations » Electronic records generally – UETA » General security laws » Obligations to implement security » Data destruction laws » Other specific laws, e. g. , EFT, insurance, etc. » Evidentiary requirements » e. g. , Am. Ex case » Contractual commitments WILDMAN HARROLD | ATTORNEYS AND COUNSELORS February 21, 2007 14

Sources of Security Obligations Information Protection and Data Security: Current & Projected Issues » Tort law » Bell v. Michigan Council – failure to provide security for employee data » In re Verizon – failure to apply patches » FTC and State AG enforcement actions » False representations and promises » Unfair business practices » International Laws » EU Data Protection Directive » EU country implementing laws and regulations » Argentina, Australia, Canada, Japan, and others WILDMAN HARROLD | ATTORNEYS AND COUNSELORS February 21, 2007 15

Legal Standards Roughly Follow Technology Information Protection and Data Security: Current & Projected Issues » Because security is a legal obligation, what do you have to do? » Do you have to encrypt this data? » Are passwords sufficient or do you need a token? » Is it OK to allow Wi-Fi access? » A “legal” standard for “reasonable security” is developing in the U. S. » It is focused on a “process” rather than specific technical requirements WILDMAN HARROLD | ATTORNEYS AND COUNSELORS February 21, 2007 16

Key Trend Satisfying the Legal Standard Depends on the Company’s Process Information Protection and Data Security: Current & Projected Issues » Identify the assets to be protected » Both (i) under company control and (ii) outsourced » Conduct risk assessment » » Identify and evaluate threats, vulnerabilities, and damages Consider available options » Develop and implement a security program » » That is responsive to the risk assessment That addresses the required categories of controls » Address third parties » Continually monitor, reassess, and adjust » » To ensure it is effective To address new threats, vulnerabilities, and options WILDMAN HARROLD | ATTORNEYS AND COUNSELORS February 21, 2007 17

Key Trend Executive Responsibility for Information Security Information Protection and Data Security: Current & Projected Issues » Who? » Not just CIO and risk management functions » CEO, CFO, GC, Senior Management » Board of Directors » What? » Approve the security program » Oversee development, implementation, and maintenance of the security program » Require regular reporting WILDMAN HARROLD | ATTORNEYS AND COUNSELORS February 21, 2007 18

Key Trend Duty to Disclose Security Breaches Information Protection and Data Security: Current & Projected Issues » Duty to disclose security breaches to: » Those who may be affected/injured » Regulators, enforcement agencies, etc. » Obligation akin to “duty to warn” » Started in California in 2003, now 34 states impose some obligation » Laws differ, but all based on California model » Having a major PR impact WILDMAN HARROLD | ATTORNEYS AND COUNSELORS February 21, 2007 19

States Imposing Legal Obligations Information Protection and Data Security: Current & Projected Issues 2 1 States with breach notification laws 1 2 Applies to information brokers only. Applies to state agencies only. WILDMAN HARROLD | ATTORNEYS AND COUNSELORS States with breach notification laws and with laws imposing obligations to provide security February 21, 2007 20

Breach Notification Legal Requirements Information Protection and Data Security: Current & Projected Issues » Covered information – “name” plus one of: » » SSN Drivers license number Financial account or credit card number Other » Triggering event » Any breach of security, or » Breach with reasonable likelihood of harm » Obligation on breach » Notify persons whose information compromised » Notify state enforcement agencies – (some states) » Notify credit agencies – (some states) WILDMAN HARROLD | ATTORNEYS AND COUNSELORS February 21, 2007 21

Breach Notification Legal Requirements (cont. ) Information Protection and Data Security: Current & Projected Issues » Timing of the notice » In the “most expedient time possible and without unreasonable delay” » Delay OK for law enforcement investigation or to take necessary measures to determine the scope of the breach and restore system integrity » Form of notice » » In writing Electronic form (but must comply with E-SIGN) Substitute notice Alt – follow company incident response plan » Penalties » State enforcement (e. g. , A. G. office) » Some private right of action WILDMAN HARROLD | ATTORNEYS AND COUNSELORS February 21, 2007 22

Typical Security Areas of Risk Information Protection and Data Security: Current & Projected Issues » Former or Current Employees » Company officers » Vendors » Agents » Competitors WILDMAN HARROLD | ATTORNEYS AND COUNSELORS February 21, 2007 23

Common Targets of Security Breaches Information Protection and Data Security: Current & Projected Issues » Customer lists » Sales and marketing strategies and plans » Developing technology » Computer source code » Employee information » Health information » Corporate attorney-client communications » Litigation strategy WILDMAN HARROLD | ATTORNEYS AND COUNSELORS February 21, 2007 24

Downstream Liability Issues Information Protection and Data Security: Current & Projected Issues » Standard of care before intrusion » How much due diligence can be proven » Corporate policies » Public relations: yes or no » SEC and Stockholder issues » Board of Director issues WILDMAN HARROLD | ATTORNEYS AND COUNSELORS February 21, 2007 25