iss acon2010 tomhave-navetta-final
DESCRIPTION
Tomhave and Navetta presentation at the 2010 ISSA International ConferenceTRANSCRIPT
![Page 1: Iss acon2010 tomhave-navetta-final](https://reader033.vdocuments.net/reader033/viewer/2022060117/5587da59d8b42a1e408b4724/html5/thumbnails/1.jpg)
Legally Defensible, Proactively ProtectedDavid Navetta, Esq., CIPPBenjamin Tomhave, MS, CISSP
![Page 2: Iss acon2010 tomhave-navetta-final](https://reader033.vdocuments.net/reader033/viewer/2022060117/5587da59d8b42a1e408b4724/html5/thumbnails/2.jpg)
David Navetta, Esq., CIPP
Founding Partner, InfoLawGroup LLP
Co-Chair, ABA Information Security Committee
Certified Information Privacy Professional (through IAAP)
![Page 3: Iss acon2010 tomhave-navetta-final](https://reader033.vdocuments.net/reader033/viewer/2022060117/5587da59d8b42a1e408b4724/html5/thumbnails/3.jpg)
Ben Tomhave, MS, CISSP
Gemini Security Solutions
MS Engineering Mgmt (InfoSec Mgmt)
Co-Vice Chair, ABA ISC
~15 yrs (AOL, WF, E&Y, INS/BT, ICSA Labs)
![Page 4: Iss acon2010 tomhave-navetta-final](https://reader033.vdocuments.net/reader033/viewer/2022060117/5587da59d8b42a1e408b4724/html5/thumbnails/4.jpg)
“Just the Facts”
Not if, but when
Mounting legal costs
Increasing regulatory burden
SECURITY PROS WILL HAVE TO DEFEND THEIR DECISIONS IN A
FOREIGN REALM: the legal world
![Page 5: Iss acon2010 tomhave-navetta-final](https://reader033.vdocuments.net/reader033/viewer/2022060117/5587da59d8b42a1e408b4724/html5/thumbnails/5.jpg)
The Gap is Acute
Collision of the legal and information security worlds
More regulations, more lawsuits, more contract obligations
Making decisions that have legal implications and interpreting legal requirements
Conversation is lacking or non-existent
![Page 6: Iss acon2010 tomhave-navetta-final](https://reader033.vdocuments.net/reader033/viewer/2022060117/5587da59d8b42a1e408b4724/html5/thumbnails/6.jpg)
Multiple Legal Regimes
State, Federal, International (e.g. E.U.)
Evolving & Overlapping laws, jurisdictions
Regulator / private enforcement
Contract law
Tort law
Securities law
![Page 7: Iss acon2010 tomhave-navetta-final](https://reader033.vdocuments.net/reader033/viewer/2022060117/5587da59d8b42a1e408b4724/html5/thumbnails/7.jpg)
Legal Defensibility
Viewing requirements from an external legal perspective (plaintiff, judge, jury, regulator)
Security choices become legal positions
Security decision-making process with legal baked in
The goal is to anticipate reasonably foreseeable (legal) consequences and reduce legal risks
![Page 8: Iss acon2010 tomhave-navetta-final](https://reader033.vdocuments.net/reader033/viewer/2022060117/5587da59d8b42a1e408b4724/html5/thumbnails/8.jpg)
Using Legal Defensibility...
Key Attributes
Real-World Examples
Recommended Steps
Action Plan
![Page 9: Iss acon2010 tomhave-navetta-final](https://reader033.vdocuments.net/reader033/viewer/2022060117/5587da59d8b42a1e408b4724/html5/thumbnails/9.jpg)
Sidebar: LegDef Origins
Survivability★ Defensibility★ Recoverability
Resilience
How to codify?
![Page 10: Iss acon2010 tomhave-navetta-final](https://reader033.vdocuments.net/reader033/viewer/2022060117/5587da59d8b42a1e408b4724/html5/thumbnails/10.jpg)
Key Attributes
Risk Management
Awareness, Understanding, Translation
Collaboration
Documentation of... decision-making processes... key infosec decisions with potential for legal impact.
Attorney-client privilege
![Page 11: Iss acon2010 tomhave-navetta-final](https://reader033.vdocuments.net/reader033/viewer/2022060117/5587da59d8b42a1e408b4724/html5/thumbnails/11.jpg)
Real-World Examples
HHS: investigations v. actionshttp://www.hhs.gov/ocr/privacy/hipaa/enforcement/data/historicalnumbers.html#seventh
Online bankingShames-Yeakel v. Citizens Financial BankEMI v. Comerica
Guin v. Brazos Higher Education Service Corp. Inc.
![Page 12: Iss acon2010 tomhave-navetta-final](https://reader033.vdocuments.net/reader033/viewer/2022060117/5587da59d8b42a1e408b4724/html5/thumbnails/12.jpg)
PCI Interpretative Variances
12.8 If cardholder data is shared with service providers, maintain and implement policies and procedures to manage service providers, to include the following:12.8.1 Maintain a list of service providers.
12.8.2 Maintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess.
12.8.3 Ensure there is an established process for engaging service providers including proper due diligence prior to engagement
12.8.4 Maintain a program to monitor service providers’ PCI DSS compliance status.
![Page 13: Iss acon2010 tomhave-navetta-final](https://reader033.vdocuments.net/reader033/viewer/2022060117/5587da59d8b42a1e408b4724/html5/thumbnails/13.jpg)
Security v. Legal Viewpoint
PCI SECURITY VIEWPOINT V. LEGAL VIEWPOINT
![Page 14: Iss acon2010 tomhave-navetta-final](https://reader033.vdocuments.net/reader033/viewer/2022060117/5587da59d8b42a1e408b4724/html5/thumbnails/14.jpg)
Key Legal Issues
“Reasonable” “Appropriate” “Comprehensive” “Adequate”
Risk-based factors
Size, scope, type, complexity of organization
Nature and scope of activities
Resources of company
Sensitivity of data
Volume of data
Third-party security assessments – matching risk tolerance
![Page 15: Iss acon2010 tomhave-navetta-final](https://reader033.vdocuments.net/reader033/viewer/2022060117/5587da59d8b42a1e408b4724/html5/thumbnails/15.jpg)
Key Legal Issues
What legal obligations?
Interpretation by courts/regulators
Foreseeability!
Plaintiff attorney strategies
Litigation strategy and procedure
![Page 16: Iss acon2010 tomhave-navetta-final](https://reader033.vdocuments.net/reader033/viewer/2022060117/5587da59d8b42a1e408b4724/html5/thumbnails/16.jpg)
Examples of Legal Obligations
Security “standards” under the law
Contract obligations
Service providers and outsourcing
Document retention and preservation
![Page 17: Iss acon2010 tomhave-navetta-final](https://reader033.vdocuments.net/reader033/viewer/2022060117/5587da59d8b42a1e408b4724/html5/thumbnails/17.jpg)
Indicia of Legal Compliance
Risk analysis and remediation
Comply with own policies
Misrepresentations
Specific controls
Vendor management
Compliance with standards
![Page 18: Iss acon2010 tomhave-navetta-final](https://reader033.vdocuments.net/reader033/viewer/2022060117/5587da59d8b42a1e408b4724/html5/thumbnails/18.jpg)
Recommended Steps
A champion arises!
Find your allies
Perform analysis
Create your strategy
Execute (w/ documentation!)
![Page 19: Iss acon2010 tomhave-navetta-final](https://reader033.vdocuments.net/reader033/viewer/2022060117/5587da59d8b42a1e408b4724/html5/thumbnails/19.jpg)
Action Plan
1. Hold key stakeholder meeting(s) and collaboration
2. Conduct information security legal audit
★ What legal requirements apply?
★ Do current security measures address those legal requirements?
![Page 20: Iss acon2010 tomhave-navetta-final](https://reader033.vdocuments.net/reader033/viewer/2022060117/5587da59d8b42a1e408b4724/html5/thumbnails/20.jpg)
Action Plan
3. Conduct legal defensibility analysis:
★ Develop security decision process formally incorporating legal analysis
★ Address areas of non-compliance
★ Develop legal positions on high risk legal requirements
★ Develop legal positions for “gray area” legal requirements
![Page 21: Iss acon2010 tomhave-navetta-final](https://reader033.vdocuments.net/reader033/viewer/2022060117/5587da59d8b42a1e408b4724/html5/thumbnails/21.jpg)
Action Plan
4. Memorialize positions and proof:
★ Document indicia of legal compliance (e.g. identify standards compliant with, documentation of due diligence, etc.)
★ Document applicable legal positions under attorney-client privilege
![Page 22: Iss acon2010 tomhave-navetta-final](https://reader033.vdocuments.net/reader033/viewer/2022060117/5587da59d8b42a1e408b4724/html5/thumbnails/22.jpg)
Q & A
THANK YOU!
![Page 23: Iss acon2010 tomhave-navetta-final](https://reader033.vdocuments.net/reader033/viewer/2022060117/5587da59d8b42a1e408b4724/html5/thumbnails/23.jpg)
Contact Information
David Navetta, Esq., CIPP
www.infolawgroup.com
Benjamin Tomhave, MS, CISSP
geminisecurity.com