cybersecurity: staying on top of changes in laws and ... 4 draft cybersecurity framework 1.1 •...

1/23/2017

1

© 2015 Morgan, Lewis & Bockius LLP

Cybersecurity: Staying on Top of Changes inLaws and Regulations and the Role ofGovernment in Promoting EffectiveCybersecurity

Mark Krotoski

Jan. 25, 2016Cybersecurity and Data Privacy Law ConferenceThe Center for American and International Law

Presenter: Mark Krotoski

• Litigation partner in the Privacy and Cybersecurity and Antitrust practices.

• Served as the National Coordinator for the Computer Hacking and Intellectual Property(CHIP) Program in the Department of Justice (DOJ) in Washington, D.C., and as a CHIPprosecutor in Silicon Valley, among other DOJ leadership positions.

• Successfully led prosecutions and investigations of nearly every type of international anddomestic computer intrusion, cybercrime, and criminal intellectual property cases.Specialized on foreign economic espionage cases involving the theft of trade secrets with theintent to benefit a foreign government. He and his team successfully prosecuted two of thefirst foreign economic espionage cases authorized by DOJ under the Economic EspionageAct.

• Advises clients on developing effective Cybersecurity and Trade Secret Protection Plans andin responding to a data breach incident or misappropriation of trade secrets. He has writtenextensively on these issues.

2

Phone: 650-843-7212;

Email: [email protected]

1/23/2017

2

Note

• Comments during this presentation are based upon publicly availableinformation and on general observations and experience and not on anyparticular facts or specific cases.

• The views expressed during this presentation are those of the speaker,and not necessarily those of Morgan Lewis or any firm clients.

3

Overview

• Increasingly regulated environment

– Tension in complying with disparate cyber standards

– New emerging standards in multiple jurisdictions

– International standards

• Concurrent jurisdiction by multiple enforcers

• Proliferating, divergent cybersecurity standards

• Government role in promoting effectivecybersecurity

4

1/23/2017

3

NIST Cybersecurity Framework

• Voluntary flexible approach

• Collaboration with industry

• Focused on critical infrastructures

• Widely adopted

5https://www.nist.gov/sites/default/files/documents/cyberframework/cybersecurity-framework-021214.pdf

NIST Cybersecurity Framework

6

NIST Framework, http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214-final.pdf

1/23/2017

4

Draft Cybersecurity Framework 1.1

• Public comment on draft Framework Version 1.1 by April 10th, 2017 [email protected]

– Workshop to be convened

– Final Framework Version 1.1 issued around Fall 2017

7

Draft Framework Specific CommentQuestions

• Are there any topics not addressed in the draft Framework Version 1.1that could be addressed in the final?

• How do the changes made in the draft Version 1.1 impact thecybersecurity ecosystem?

• For those using Version 1.0, would the proposed changes impact yourcurrent use of the Framework? If so, how?

• For those not currently using Version 1.0, does the draft Version 1.1 affectyour decision to use the Framework? If so, how?

• Does this proposed update adequately reflect advances made in theRoadmap areas?

• Is there a better label than “version 1.1” for this update?

• Based on this update, activities in Roadmap areas, and activities in thecybersecurity ecosystem, are there additional areas that should beadded to the Roadmap? Are there any areas that should be removed fromthe Roadmap?

8

1/23/2017

5

Comparing NIST Cybersecurity Frameworkwith FTC Requirements

9https://www.ftc.gov/news-events/blogs/business-blog/2016/08/nist-cybersecurity-framework-ftc

“If I comply with the NIST Cybersecurity Framework, am I complying with whatthe FTC requires?” From the perspective of the staff of the Federal TradeCommission, NIST’s Cybersecurity Framework is consistent with theprocess-based approach that the FTC has followed since the late 1990s,the 60+ law enforcement actions the FTC has brought to date, and theagency’s educational messages to companies, including its recent Start withSecurity guidance.

Comparing NIST Framework with FTCRequirements


1/23/2017

6

Federal Laws

• Federal Trade Commission– Section 5 (unfair and deceptive practices)

– Gramm-Leach Bliley Act Safeguards Rule (financialservices)

– COPPA (children’s information)

• SEC– Reg S-P Safeguarding Rule

– Reg S-P Disposal Rule

• HHS Office for Civil Rights– Health Insurance Portability and Accountability Act (“HIPAA”)

11

FTC Request for More Authority

“The FTC supports federal legislation that would:

(1) strengthen its existing authority governing datasecurity standards on companies and

(2) require companies, in appropriate circumstances, toprovide notification to consumers when thereis a security breach.”

Legislation “should give the FTC the ability to seek civilpenalties to help deter unlawful conduct, jurisdiction overnon-profits, and rulemaking authority under theAdministrative Procedure Act.”

12

FTC Chairwoman Edith Ramirez, Statement on Data Breach on the Rise: Protecting

Personal Information From Harm before the Senate Committee On Homeland Security

And Governmental Affairs (April 2, 2014)

1/23/2017

7

SEC Cybersecurity Disclosures

13http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm

Federal Financial Institution Regulations

• Advance Notice of Proposed Rulemakingon Enhanced Cyber Risk ManagementStandards

• Board of Governors of the FederalReserve System, the Office of theComptroller of the Currency, and FederalDeposit Insurance Corporation

• Five categories of cyber standards:

– Cyber risk governance

– Cyber risk management

– Internal dependency management

– External dependency management

– Incident response, cyber resilience, andsituational awareness

• Comment Period: February 17, 2017

14

1/23/2017

8

Federal Role

• What is the role of the federal government on cybersecurity?

– Leadership

– Government and private industry balance

• Will new, specific federal cybersecurity standards be adopted?

– Particularized standards

• Given the proliferating standards at various levels of government,will federal preemption ultimately be necessary to remove theunnecessarily complex, costly and cumbersome data breachnotification maze and other regulatory standards?

15

Increasing Enforcement and RegulatoryScrutiny

• Data BreachNotification

• New HighlyPrescriptiveRegulations

• ReasonableCybersecurity

16

1/23/2017

9

51 Data Breach Notification Jurisdictions

17

Core PI or PII Definition

• "Personal information" means either of the following:

• (1) An individual's first name or first initial and last name incombination with any one or more of the following data elements, wheneither the name or the data elements are not encrypted or redacted or areencrypted or redacted but the keys to unencrypt or unredact or otherwiseread the name or data elements have been acquired without authorizationthrough the breach of security:

(A) Social Security number.

(B) Driver's license number or State identification card number.

(C) Account number or credit or debit card number, or an accountnumber or credit card number in combination with any required security code,access code, or password that would permit access to an individual's financialaccount.

18

1/23/2017

10

Expanding PII Definition


• (1) An individual's first name or first initial and last name in combination withany one or more of the following data elements, when either the name or the dataelements are not encrypted or redacted or are encrypted or redacted but the keys tounencrypt or unredact or otherwise read the name or data elements have beenacquired without authorization through the breach of security:

(A) Social Security number.

(B) Driver's license number or State identification card number.

(C) Account number or credit or debit card number, or an account number orcredit card number in combination with any required security code, access code, orpassword that would permit access to an individual's financial account.

(D) Medical information.

(E) Health insurance information.

(F) Unique biometric data generated from measurements or technicalanalysis of human body characteristics used by the owner or licensee to authenticatean individual, such as a fingerprint, retina or iris image, or other unique physicalrepresentation or digital representation of biometric data.

19

815 ILCS 530/5, Section 5 [Illinois House Bill 1260]



(1) An individual's first name or first initial and last name incombination with any one or more of the following data elements, when eitherthe name or the data elements are not encrypted or redacted or areencrypted or redacted but the keys to unencrypt or unredact or otherwiseread the name or data elements have been acquired without authorizationthrough the breach of security:

....

(2) User name or email address, in combination with apassword or security question and answer that would permit accessto an online account, when either the user name or email address orpassword or security question and answer are not encrypted or redacted orare encrypted or redacted but the keys to unencrypt or unredact or otherwiseread the data elements have been obtained through the breach of security.

20


1/23/2017

11


• Adding Usernames or Email Addresses

– California (2014)

– Florida (2014)

– Wyoming (2015)

– Nebraska (2016)

– Nevada (2016)

– Illinois (2017)

21

Encryption Safe Harbor

• Cal. Civil Code § 1798.29 (Jan. 2017) [Assembly Bill 2828]

• Disclosure of the breach:

– (1) whose unencrypted personal information was, or is reasonablybelieved to have been, acquired by an unauthorized person, or,

– (2) whose encrypted personal information was, or is reasonably believed tohave been, acquired by an unauthorized person and the encryption key orsecurity credential was, or is reasonably believed to have been, acquiredby an unauthorized person and the agency that owns or licenses theencrypted information has a reasonable belief that the encryption key orsecurity credential could render that personal information readable or useable.

22

1/23/2017

12

Encryption Safe Harbor


(1) An individual's first name or first initial and last name incombination with any one or more of the following data elements, when eitherthe name or the data elements are not encrypted or redacted or areencrypted or redacted but the keys to unencrypt or unredact orotherwise read the name or data elements have been acquiredwithout authorization through the breach of security:

....

(2) User name or email address, in combination with a password orsecurity question and answer that would permit access to an online account,when either the user name or email address or password or security questionand answer are not encrypted or redacted or are encrypted or redactedbut the keys to unencrypt or unredact or otherwise read the dataelements have been obtained through the breach of security.

23


MassachusettsData Breach Notification Archive

24http://www.mass.gov/ocabr/press-releases/2017/ocabr-data-breach-archive.html

1/23/2017

13

Public Data Breach Notification Websites

25http://www.doj.state.or.us/releases/Pages/2016/rel010716a.aspx

Public Data Breach Notification Websites

26

1/23/2017

14

HHS Office for Civil Rights

27https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf





28

1/23/2017

15

NY Department of Financial Services

29http://www.dfs.ny.gov/about/press/pr1609131.htm

“[A]nnounced that a new first-in-the-nation regulation has been proposed toprotect New York State from the ever-growing threat of cyber-attacks. Theregulation requires banks, insurance companies, and other financial servicesinstitutions regulated by the State Department of Financial Services to establishand maintain a cybersecurity program designed to protect consumers andensure the safety and soundness of New York State’s financial servicesindustry.”

NY Department of Financial Services

• Written Risk Assessment– Annually

• Written Cybersecurity Policy– Addressing “at minimum” 14 areas

– Reviewed by board

– Approved by Senior Officer

• Written Incident Response Plan

• CISO Biannual Report for Board– Available to superintendent upon

request

• Third party information securitypolicy

• Cybersecurity awareness training– Updated to reflect annual risk

assessment


• Cybersecurity audit records– Maintained for at least 6 years

• Testing– Annual penetration testing and risk

assessments

– Quarterly vulnerability assessments

• NYDFS Notification– Within 72 hours of certain

“Cybersecurity Events”, defined as“any act or attempt, successful orunsuccessful, to gain unauthorizedaccess to, disrupt or misuse anInformation System or informationstored on such Information System”

• Annual Certification– Board annually review the

cybersecurity program and submit aCertification of Compliance

1/23/2017

16

NYDFS Update and DelayedImplementation


“The proposed regulation, which will be effective March 1, 2017, will requirebanks, insurance companies, and other financial services institutions regulatedby DFS to establish and maintain a cybersecurity program designed to protectconsumers and ensure the safety and soundness of New York State’s financialservices industry.”





32

1/23/2017

17

33

•What constitutes reasonable cybersecurity?

What is unreasonable?

What constitutes “unfair cybersecurity practices”?

Enforcement and Regulatory Focus

Major CaseFTC v. Wyndham Worldwide Corp.

Complaint allegations:

• Hotels stored payment card information in clearreadable text

• Use of easily guessed passwords to access theproperty management systems

• Failed to use firewalls to “limit access”

• Failed to ensure that the hotels implemented“adequate information security policies andprocedures”

• Failed to “adequately restrict” the access ofthird-party vendors to its network and theservers

• Failed to employ “reasonable measures todetect and prevent unauthorized access” to itscomputer network or to “conduct securityinvestigations”

• Failed to follow “proper incident responseprocedures.

34

1/23/2017

18

FTC v. Wyndham Worldwide Corp. (3d Cir.)

• Section 5 prohibits “unfair ordeceptive acts or practices in oraffecting commerce”

• ”Unfair cybersecurity practices”

• Open issue before Third Circuit: Canoverstating cybersecurity policieslead to deception claim?

35799 F.3d 236 (3d Cir. 2015)

FTC v. Wyndham Worldwide Corp.

36

“Today’s Third Circuit Court of Appeals decision reaffirms the FTC’sauthority to hold companies accountable for failing tosafeguard consumer data. It is not only appropriate, but critical,that the FTC has the ability to take action on behalf of consumerswhen companies fail to take reasonable steps to securesensitive consumer information.”

https://www.ftc.gov/news-events/press-releases/2012/06/ftc-files-complaint-against-wyndham-hotels-failure-protect

1/23/2017

19

FTC Reasonableness Standard

• Reasonable cybersecurity practices based on

– Volume and sensitivity of information the company holds

– Size and complexity of the company’s operations

– Cost of the tools that are available to addressvulnerabilities

– Other factors


Statutory Reasonableness Standard

• Cal. Civ. Code § 1798.81 businesses must take “reasonablesteps to dispose, or arrange for the destruction of customerrecords within its custody or control containing personalinformation.”

• Cal. Civ. Code § 1798.81.5 businesses that “own” or“license” personal information about a California residentmust “implement and maintain reasonable securityprocedures and practices appropriate to the nature ofthe information, to protect the personal information fromunauthorized access, destruction, use modification, ordisclosure.”

38

1/23/2017

20

Reasonable Security Standard

• Maryland Code of Comm. Law §14–3503.

(a) To protect personal information from unauthorized access, use,modification, or disclosure, a business that owns or licenses personalinformation of an individual residing in the State shall implement and maintainreasonable security procedures and practices that are appropriate to thenature of the personal information owned or licensed and the nature and sizeof the business and its operations.

(b) (1) A business that uses a nonaffiliated third party as a serviceprovider to perform services for the business and discloses personalinformation about an individual residing in the State under a written contractwith the third party shall require by contract that the third party implementand maintain reasonable security procedures and practices that:

(i) Are appropriate to the nature of the personal informationdisclosed to the nonaffiliated third party; and

(ii) Are reasonably designed to help protect the personalinformation from unauthorized access, use, modification, disclosure, ordestruction.

39

California Presumption

• RECOMMENDATION 1:The 20 controls in the Center forInternet Security’s CriticalSecurity Controls define aminimum level of informationsecurity that all organizationsthat collect or maintain personalinformation should meet. Thefailure to implement all theControls that apply to anorganization’s environmentconstitutes a lack ofreasonable security.

40https://oag.ca.gov/sites/all/files/agweb/pdfs/dbr/2016-data-breach-report.pdf?

1/23/2017

21

PROLIFERATING,DIVERGENTCYBERSECURITYSTANDARDS

Concurrent Jurisdiction

• Recent cases:

– Federal Trade Commission

– Securities and Exchange Commission

– State Attorneys General

– U.S. Department of Justice

42

1/23/2017

22

Differing State Notification Standards

• What form of notice is required?

– Email notification

– Substitute notice

• What consequences andpenalties?– Private right of action

• Any there any industry-specificrequirements?– Insurance (GA, KS, ME, MT)

– Medical records (CA, LA)

– Financial institutions (MN)

– Public utilities (MI)

43

• Who must be notified?

– Customers

– Government

• When must they be notified?

– Reasonable notice

– Delayed notification

• What data (PII) triggersnotification?

• What constitutes a “databreach”?

– What exemptions?

– Any reasonable likelihood of harm?

Form of Notice

Including but not be limited to:

• The consumer's right to obtain a police report

• How a consumer requests a security freeze and the necessaryinformation to be provided when requesting the security freeze, and

• Any fees required to be paid to any of the consumer reporting agencies

But the notice “shall not include”:

• The nature of the breach or unauthorized acquisition or use

• The number of residents of the commonwealth affected by said breachor unauthorized access or use.

Mass. Gen. Laws § 93H-1(3)(b)

44

1/23/2017

23

Form of Notice

• Specific notice requirements

– Plain language, titled “Notice of Data Breach”

– Use “the following headings:

– “What Happened”

– “What Information Was Involved”

– “What We Are Doing”

– “What You Can Do”

– “For More Information”

– Format “designed to call attention to the nature andsignificance of the information”

– Title and headings “clearly and conspicuously displayed”

– Text “no smaller than 10-point type”

45Cal. Civ. Code § 1798.82(d)(1)

Delayed Law Enforcement Notification

• “The notification required by this act may be delayed if a law enforcement agencydetermines and advises the entity in writing specifically referencing this sectionthat the notification will impede a criminal or civil investigation. The notificationrequired by this act shall be made after the law enforcement agency determines thatit will not compromise the investigation or national or homeland security.”

Pennsylvania Breach of Personal Information Notification Act, 73 P.S. § 2304

• “(b) If a federal, state, or local law enforcement agency determines that notice toindividuals required under this subsection would interfere with a criminalinvestigation, the notice shall be delayed upon the written request of the lawenforcement agency for a specified period that the law enforcement agencydetermines is reasonably necessary. A law enforcement agency may, by asubsequent written request, revoke such delay as of a specified date or extend theperiod set forth in the original request made under this paragraph to a specified dateif further delay is necessary.”

Florida Information Protection Act, Fla. Stat. § 501.171(4)(b)

46

1/23/2017

24

Data Security and Breach Notification Actof 2015 (H.R. 1770)

• March 25, 2015

• House Energy and CommerceSubcommittee on Commerce,Manufacturing, and Trade

• Bipartisan introduction

– Energy and CommerceCommittee Vice ChairmanMarsha Blackburn (R-TN)

– Rep. Peter Welch (D-VT)

47

• National standard to maintain reasonablesecurity to protect and secure personalinformation

– Technology and process neutral standard with flexibilityfor innovation and new technologies

• Notification not later than 30 days

– Unless there is no reasonable risk of identity theft,economic loss, economic harm, or financial fraud

– Delayed notification for law enforcement or nationalsecurity purposes

• FTC and State AG enforcement

– Violation is an unfair and deceptive act or practiceunder the FTC Act

• No private right of action

• Not preempt privacy law

Data Security and Breach Notification Actof 2015 (H.R. 1770)

48https://energycommerce.house.gov/news-center/press-releases/data-security-solution-moves-forward

1/23/2017

25

State Attorney General Opposition

49http://www.naag.org/assets/redesign/files/sign-on-letter/Final%20NAAG%20Data%20Breach%20Notification%20Letter.pdf

State Preemption Provisions

• § 899-aa. Notification; person without validauthorization has..., NY GEN BUS § 899-aa

• 9. “The provisions of this section shall beexclusive and shall preempt any provisionsof local law, ordinance or code, and no localityshall impose requirements that are inconsistentwith or more restrictive than those set forth in thissection.”

50

1/23/2017

26


• 73 P.S. § 2306 Preemption

• “This act deals with subject matter that is ofStatewide concern, and it is the intent of theGeneral Assembly that this act shallsupersede and preempt all rules,regulations, codes, statutes orordinances of all cities, counties,municipalities and other local agencieswithin this Commonwealth regarding thematters expressly set forth in this act.”

51


• Mich. Comp. Laws § 445.72

• (18) “This section deals with subject matter that isof statewide concern, and any charter, ordinance,resolution, regulation, rule, or other action by amunicipal corporation or other political subdivisionof this state to regulate, directly or indirectly, anymatter expressly set forth in this section ispreempted.”

52

1/23/2017

27

Call for Harmonization

• RECOMMENDATION 5:State policy makers shouldcollaborate to harmonizestate breach laws on somekey dimensions. Such aneffort could reduce thecompliance burden forcompanies, while preservinginnovation, maintainingconsumer protections, andretaining jurisdictionalexpertise.

53https://oag.ca.gov/sites/all/files/agweb/pdfs/dbr/2016-data-breach-report.pdf?

Harmonization is Not Occurring

• Inevitable nuances

• Many years to harmonize even assuming there is agreement

• Disparate standards will invite pre-emption and efforts topromote uniformity

54

1/23/2017

28

Role of Government on Cybersecurity

• How to incentivize effective cybersecurity practices?

– How much carrot and how much stick?

• Given limited resources, what are the costs andburdens of compliance?

• Is cybersecurity meaningfully enhanced?

– Recognizing no “one size fits all” and need forflexibility and options

55

Cybersecurity Regulatory Principles

• How is effective cybersecurity incentivized and promoted by the proposedregulation?– Can the objectives be accomplished through guidance or voluntary standards?

– What costs and burdens are imposed by the proposed regulation?

• What flexibility allows for tailored cybersecurity solutions?– No “one-size-fits-all approach to managing cybersecurity risk”

• What existing regulatory standards apply?– What justifies new standards?

– Is there any reason the standards cannot be harmonized?

• Will any new standards become obsolete based on new technology andevolving standards?– Why freeze the regulatory standards into law?

– Why impose certain regulatory standards in a changing technological environment?

• What input does the private sector provide on the standards?

56

1/23/2017

29

Questions

57

Mark L. Krotoski

Washington, DCtel. +202.739.5024

Silicon Valley, Californiatel. +650.843.7212

[email protected]

This material is provided as a general informational service to clients and friends of Morgan, Lewis & Bockius LLP. It does not constitute, and should not beconstrued as, legal advice on any specific matter, nor does it create an attorney-client relationship. You should not act or refrain from acting on the basis of thisinformation. This material may be considered Attorney Advertising in some states. Any prior results discussed in the material do not guarantee similar outcomes.Links provided from outside sources are subject to expiration or change.

© 2015 Morgan, Lewis & Bockius LLP. All Rights Reserved.

THANKYOU

58

1/23/2017

30

ASIA

Almaty

Astana

Beijing

Singapore

Tokyo

EUROPE

Brussels

Frankfurt

London

Moscow

Paris

MIDDLE EAST

Dubai

NORTH AMERICA

Boston

Chicago

Dallas

Harrisburg

Hartford

Houston

Los Angeles

Miami

New York

Orange County

Philadelphia

Pittsburgh

Princeton

San Francisco

Santa Monica

Silicon Valley

Washington, DC

Wilmington

59

cybersecurity: staying on top of changes in laws and ... 4 draft cybersecurity framework 1.1 •...

Documents