yes. you’re in the right room.. hi! i’m david (hi david!)
TRANSCRIPT
Yes. You’re in the right room.
Hi!
I’m David(Hi David!)
I’m a lawyer.
I’m a lawyer.
Today we’re going to talk
about:
• Major laws• Legal guide• Contract issues• Toolkit
Roadmap
Major laws
• Computer Fraud and Abuse Act - 18 USC 1030• Wiretapping – 18 USC 2511• Stored Communications Act (email) – 18 USC 2701• Destruction of communication devices – 18 USC 1362• Patriot Act – amends many laws• RICO• Foreign Intelligence Surveillance Act (FISA)• Medical Computer Crime Act• State laws
Major laws
Knowledge
Exceeding authority
Infrastructure that is not public / open
Disclosure / retention of data
Major laws
CFAA – up to 20 years
SCA – 5 years in the absence of malice
Wiretapping – 5 years
Major laws
Penalty considerations• Potential and actual loss• Sophistication and planning involved• Purpose of offense• Intent• Impact on privacy rights• National security • Interference with critical infrastructure• Threat to public health
Legal guide
Scope
Permission
Third parties
Access
Legal guide
Scope
• What is the customer trying to protect?
• Systems to be protected
• Limitations on testing
• Types of information processed
Legal guide
Permission
• Methods to be used
• Types of customers serviced
• Categories of information held
• Data to be retained
• Data to be purged
Legal guide
Third parties
• Who are customer’s third party vendors?
• Does customer contract allow testing?
• Will you use third parties?
• Consider law enforcement and prosecutorial priories
Access
• Document data to which you have access
• Limit the number of employees who have access to data
• Create and implement access policies
• Require written notice
Legal issues
Contract
Permission
Scope of access
Indemnification
Termination issues
Contract
Permission and Scope of AccessCustomer grants Company full and unlimited access to the information and systems set out on the Statement of Work (Access). Access is only limited by the express statements set out in the Statement of Work. Company agrees to keep complete and accurate records of its activities related to Access. Company shall be entitled to produce these records should it be alleged that Company has exceeded the Access authorized by Customer.
You must have express permission
IndemnificationCustomer hereby releases and agrees to indemnify and defend Company, and any and all directors, officers, employees, contractors and agents of Indemnitee (collectively, the “Indemnitees”) from and against any and all liabilities, claims, losses, damages, costs, and expenses, including reasonable attorneys’ fees arising out of or in any way relating to the activities set out on the Statement of Work. This indemnification obligation shall extend to claims brought by customers of Customer and any third party claiming injury of any sort from the activities set out in the Statement of Work. In addition, the indemnification obligation shall extent to any charges brought against Company by a law enforcement or regulatory entity of any type based on the activities contemplated in this Agreement.
Contract
Indemnification must be broad and extend to end users / law enforcement
Termination
Contract
Upon termination or expiration of this Agreement, Company shall delete all data and provide Customer with written confirmation of this deletion. Company shall also instruct any entities who have had access to the data to also delete it and provide Customer with written certification of this deletion. The security obligations set out in this Agreement relating to the data shall survive termination or expiration of this Agreement until such time as the data is completely deleted by Company. Company shall require this provision, or one similarly protective of Customer’s rights in all its contracts with suppliers or other vendors who provide aspects of the Services. Company may keep copies of data created pursuant to this Agreement, subject to this paragraph
When agreement terminates, your rights
terminate.
Toolkit
Determine how services will be used
Evaluate customer’s data structure
Understand end user’s data
Determine the type of data you may retain
High risk regulatory areas
Disposition of data on termination
surveymonkey/source12
Thanks for coming!
W: dsnead.comT: @wdsneadpc