Business and Legal Issues in Cyber Law-Spring22
pptx
keyboard_arrow_up
School
Kenyatta University *
*We aren’t endorsed by this school
Course
LPL 204
Subject
Law
Date
Nov 24, 2024
Type
pptx
Pages
20
Uploaded by PrivateWater26327
Business and Legal Issues in Cyber Law
Joe Jabara
INF-157-001-20819 - Cyber Law and Ethics
Wichita State University
What is Cyber Law?
•
Includes all of the Following
•
Criminal Law
•
Information and Privacy Law
•
Administrative Law/Regulatory Law
•
Tort Law
•
International Law
•
Intellectual Property Law
The Interaction of Innovation and Regulation
•
Most of what we talk about this module is from a liability standpoint
Where do I Find The Sources?
•
The Basic Legal Framework (the tip of the iceberg) •
U.S. Constitution
•
4
th
Amendment •
Information and Privacy Law
•
FOIA/Privacy Act
•
Criminal Law
•
Computer Fraud and Abuse Act
•
Federal Wiretap Act
•
Stored Communications Act
•
Administrative Law
•
CFR
•
KORA and state open records laws
•
Specific Industry Regulations
•
Tort Law
•
Breach of duty?
•
Damages?
•
International Law…International Norms?
•
Cyber Security
•
CISA
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
A Survey of the Major Regulatory Guidance
Law Policy or Regulation
Source
Applies To?
Basic Guidance and Intent
Penalties or Potential Criminal Charges
Wildcards/Concerns/ Future
Examples of Badness
Federal Information Security Modernization Act
USC
All Federal Agencies, State Agencies Administering Fed Programs, Govt Contractors Under NIST Standards
Requires Fed Agencies to develop agency wide info security program
Censure, Removal of Funding, Bad Publicity
Enormous to manage, long reaching effects, private sector next? Impact on Universities
OPM
Gramm-Leach-Biley Act
United States Code
Companies that offer financial products or services to individuals; Consumers are those use those products
Cybersecurity must be robust and tested according to Safeguards Rule of Act, and Training Employee Requirements
Up to 10k personal liability, 100k institution liability, criminal charges possible in some cases
Started as a way to keep personal data from flowing unregulated when companies merged; Sector Oriented but wide net; Cyber Safeguards a small part of act
Paypal/Venmo
Health Insurance Portability and Accountability Act AKA HIPAA
United States Code
HIPAA applies to healthcare providers, health plans, and healthcare clearinghouses if those organizations transmit health data electronically in connection with transactions for which the Department of Health and Human Services has adopted standards.
Security Rule of the Act establishes requirements for Data processors to adopt including cyber protection measures and to report breaches
Tiered Fine Schedule
Health Information Technology for Economic and Clinical Health Act spun off of HIPAA as electronic records became normal; Requires reports of breaches and encourages best practices and info sharing in later legislation
Medical Informatics Engineering of Indiana
General Data Protection Regulation
EU
Protection of EU Residents Data but anyone doing business with those residents subject to act
Enforceable in 2018; Protect Data, Encourages Planning and Recovery
Fines for Non Compliance
Could be Intentional or unintentional (hacked w/o safeguards)Affects US Businesses through extraterritorial jurisdiction and scope; Will US come up with similar act? Big US business getting investigated heavily
Google
Defense Federal Acquisition Supplement (DFAR) 252.204-7012
DoD
Government Contractors and Sub Contractors Doing Business With DoD that store, process or transmit covered defense information-
Controlled Unclassified Information
Requires Contractors to Implement NIST Pub 800-171 Standards
Breach of Contracts, Potential Barred Lists
Increased Audits, management of subcontractors by contractors, similar application in works for all govt contracts
Markus Case-Potential for False Claims Act Standing
NIST Publication Standards 800-171 and accompanying guidance
National Institute of Standards and Technology
Primarily Contractors and Subcontractors with a US Govt entity to include DoD
Sets Standards for Safeguarding CUI information by Govt Contractors and Subcontractors, some subjects covered are encryption, boundry protection, vulnerability scans
Breach of Contract, Barred Lists (more threat if DoD contractor)
This area is spawned growth in compliance companies; Still new to cyberlaw so seems to be evolving
Whistleblower Cases
And The Newest Law……..
CMMC
•
On Jan 30, DoD released Version 1.0 of the Cybersecurity Maturation Model
•
390 Pages
•
Requires DoD Contractors to obtain certification—in effect now
Make DoD Supply Chain Less Vulnerable Why was this created?
•
Combat malicious cyber actors targeting intellectual property in the DoD’s supply chain
•
Ultimately will replace/combine other “pieced together” standards such as NIST SP 800-171 for DFARs and FARs
•
Introduced a Level Based Compliance Structure for DoD Contractors
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
What is inspected……..
CMMC Continued….
•
Other Key Highlights
•
Independent 3rd party assessment organization will normally perform the assessment. •
Some higher level assessments may be performed by organic DoD assessors within the Services, the Defense Contract Management Agency (DCMA) or the Defense Counterintelligence and Security Agency (DCSA).
•
Certification level will be made public
•
All companies conducting business within DoD need to be certified
•
Legal Ramifications
•
Will not be awarded Government Contracts if shown as Non Compliant
•
Should self inspections/pre audit activity be held under attorney/client work product privilege?
•
Whistleblower Cases
•
These are also industry standards….if not followed breach could occur and legal liability could ensue (see WaWa Case as example)
Executive Order on Improving the Nation’s Cybersecurity-Signed 12 May
Summary
Remove Barriers to Threat Information Sharing Between Government and the Private Sector
. The Executive Order ensures that IT Service Providers are able to share information with the government and requires them to share certain breach information. IT providers are often hesitant or unable to voluntarily share information about a compromise. Sometimes this can be due to contractual obligations; in other cases, providers simply may be hesitant to share information about their own security breaches. Removing any contractual barriers and requiring providers to share breach information that could impact Government networks is necessary to enable more effective defenses of Federal departments, and to improve the Nation’s cybersecurity as a whole.
Modernize and Implement Stronger Cybersecurity Standards in the Federal Government
. The Executive Order helps move the Federal government to secure cloud services and a zero-trust architecture, and mandates deployment of multifactor authentication and encryption with a specific time period. Outdated security models and unencrypted data have led to compromises of systems in the public and private sectors. The Federal government must lead the way and increase its adoption of security best practices, including by employing a zero-trust security model, accelerating movement to secure cloud services, and consistently deploying foundational security tools such as multifactor authentication and encryption.
Improve Software Supply Chain Security
. The Executive Order will improve the security of software by establishing baseline security standards for development of software sold to the government, including requiring developers to maintain greater visibility into their software and making security data publicly available. It stands up a concurrent public-private process to develop new and innovative approaches to secure software development and uses the power of Federal procurement to incentivize the market. Finally, it creates a pilot program to create an “energy star” type of label so the government – and the public at large – can quickly determine whether software was developed securely. Too much of our software, including critical software, is shipped with significant vulnerabilities that our adversaries exploit. This is a long-standing, well-known problem, but for too long we have kicked the can down the road. We need to use the purchasing power of the Federal Government to drive the market to build security into all software from the ground up.
Establish a Cybersecurity Safety Review Board
. The Executive Order establishes a Cybersecurity Safety Review Board, co-chaired by government and private sector leads, that may convene following a significant cyber incident to analyze what happened and make concrete recommendations for improving cybersecurity. Too often organizations repeat the mistakes of the past and do not learn lessons from significant cyber incidents. When something goes wrong, the Administration and private sector need to ask the hard questions and make the necessary improvements. This board is modeled after the National Transportation Safety Board, which is used after airplane crashes and other incidents.
Create a Standard Playbook for Responding to Cyber Incidents
. The Executive Order creates a standardized playbook and set of definitions for cyber incident response by federal departments and agencies. Organizations cannot wait until they are compromised to figure out how to respond to an attack. Recent incidents have shown that within the government the maturity level of response plans vary widely. The playbook will ensure all Federal agencies meet a certain threshold and are prepared to take uniform steps to identify and mitigate a threat. The playbook will also provide the private sector with a template for its response efforts.
Improve Detection of Cybersecurity Incidents on Federal Government Networks
. The Executive Order improves the ability to detect malicious cyber activity on federal networks by enabling a government-wide endpoint detection and response system and improved information sharing within the Federal government. Slow and inconsistent deployment of foundational cybersecurity tools and practices leaves an organization exposed to adversaries. The Federal government should lead in cybersecurity, and strong, Government-wide Endpoint Detection and Response (EDR) deployment coupled with robust intra-governmental information sharing are essential.
Improve Investigative and Remediation Capabilities
. The Executive Order creates cybersecurity event log requirements for federal departments and agencies. Poor logging hampers an organization’s ability to detect intrusions, mitigate those in progress, and determine the extent of an incident after the fact. Robust and consistent logging practices will solve much of this problem
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
More…….
State Legislation
Pending Cybersecurity Law by State
Hot Cybersecurity Law Topics
Hot cybersecurity topics
Aside from the formal measures introduced in or passed by the House or Senate, a number of hot topic cybersecurity issues are emerging as key subject areas for new legislation or at least high-level Congressional debate during 2020.
1.
Election security: Despite an additional $425 million authorized by Congress to strengthen election security at the state level as part of appropriations bills passed in December, Democrats believe Congress hasn’t done enough to protect the country while the presidential election year moves into full swing. Senator Ron Johnson (R-WI), Chairman of the Senate Homeland Security and Governmental Affairs Committee, said he plans to hold hearings on the topic in 2020. House Administration Committee Chairwoman Zoe Lofgren might hold oversight hearings on the topic early in the year.
2.
Ransomware threats: 2019 saw a rash of ransomware attacks that crippled the city governments of Baltimore, Pensacola and New Orleans along with a number of other municipalities in the U.S. Although two bills have been introduced to help local governments deal with this growing concern, the State and Local Government Cybersecurity Act of 2019 and the K-12 Cybersecurity Act of 2019, it’s likely that lawmakers will focus additional attention on these threats, particularly if more high-
profile government ransomware attacks occur.
3.
Foreign apps: As fears of supply chain threats ramp up in the U.S., with notable bans implemented by the Trump Administration on Chinese tech companies such as Huawei, a new avenue of concern has opened up regarding popular consumer apps that originate outside the U.S. The U.S. Navy and Army have already banned their personnel from using Chinese viral video app TikTok on government issued phones. New reports indicate that popular Middle Eastern app ToTok is being used as spyware for the government of the United Arab Emirates, sparking some lawmakers to express concern over the national security implications of the app.
4.
DHS subpoena power: The DHS has floated a legislative proposal to give it subpoena power to speed up CISA's ability to interact with critical infrastructure companies that are the targets of foreign cyberattacks. The administrative subpoena power that DHS seeks would require ISPs to turn over information on equipment owners for which CISA has IP addresses so that the agency can contact them about the threats.
Another development worth watching as Congress returns from recess is the emergence of a federal strategy for defending the U.S. government against cyberattacks that lawmakers say could be finalized as early as March. The strategy flows from a commission created after the passage of the 2018 National Defense Authorization Act and a draft version of the commission’s report is already circulating among lawmakers. The report will focus on protecting federal assets from cyberattacks but could prove useful to state and local government, too.
You aren’t kidding!
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
Privacy Law
•
General Data Protection Regulation (GDPR)-EU Based
•
What types of privacy data does the GDPR protect?
•
Basic identity information such as name, address and ID numbers
•
Web data such as location, IP address, cookie data and RFID tags
•
Health and genetic data
•
Biometric data
•
Racial or ethnic data
•
Political opinions
•
Sexual orientation
•
Applies to any company that stores or processes personal information about EU citizens within EU states must comply with the GDPR, even if they do not have a business presence within the EU.
•
The GDPR places equal liability on data controllers (the organization that owns the data) and data processors (outside organizations that help manage that data)
•
72 Hours to Report a Breach
Privacy Law (coming to every state) •
California Consumer Privacy Act
•
Allows any California consumer to demand to see all the information a company has saved on them, as well as a full list of all the third parties that data is shared with. •
California law allows consumers to sue companies if the privacy guidelines are violated, even if there is no breach.
•
All companies that serve California residents and have at least $25 million in annual revenue or stores data on 50,000 people and gets 50% of revenue from data storage must comply with the law.
•
Companies don't have to be based in California or have a physical presence there to fall under the law. They don't even have to be based in the United States.
•
Effective 1 January 2020
Trends in the Law
•
Negligence for Failing to Meet Industry Standards in Security Practices
•
Zoom Lawsuits
•
RING Doorbell Lawsuits
•
Credit Card Breaches
•
Privacy Notices-Implied Contracts
•
Failure to Notify of Breach
•
Tort Invasion of Privacy
•
Hacker rarely gets sued
•
Dunkin Donuts Lawsuit
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
Other Cyber Nightmares
•
Jurisdiction over E-Business
•
Seller or Middle Man?
•
Arbitration Clause/Consent to Jurisdiction
•
New Federal Appeals Case
•
Foreign Companies
•
Collection of Judgements with Foreign Companies
•
Social Media creeping into the workplace
•
Bitcoins (Disclaimer: I have very limited working knowledge of this subject)
Why do I care?
•
Legal compliance impacts bottom line
•
Communicating with GC can help resolve issues early
•
What you don’t know CAN hurt you!
Take Aways
•
Know legal and regulatory framework
•
Know your systems
•
Know your general counsel and keep her informed
•
Ensure employees understand guidelines and limits
•
Know current political situation…sign up for e-mail alerts
National leadership discussion/debate
Congress…status of bills impacting industry
Data breach…there will be a scapegoat…don’t let it be you!
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
Take Aways
Don’t ever underestimate the improbable…
Resources
•
https://www.sba.gov/managing-business/cybersecurity
•
https://www.nist.gov/itl/applied-cybersecurity/nice
•
https://www.dhs.gov/topic/cybersecurity
•
https://hbr.org/2019/09/why-companies-are-forming-cybersecurity-alliances
•
https://www.cisecurity.org/
•
https://www.ic3.gov/default.aspx