Approaching Cybersecurity Law · 2018-11-20  · This presentation provides insight in how to...

60
Approaching Cybersecurity Law A Guide for Information Security Professionals David Jackson November 20, 2018 ISSA National Capital Chapter Meeting

Transcript of Approaching Cybersecurity Law · 2018-11-20  · This presentation provides insight in how to...

Page 1: Approaching Cybersecurity Law · 2018-11-20  · This presentation provides insight in how to consider cybersecurity law as a discipline, and dispels the notion that law as a tool

ApproachingCybersecurityLawAGuideforInformationSecurityProfessionals

DavidJacksonNovember20,2018

ISSANationalCapitalChapterMeeting

Page 2: Approaching Cybersecurity Law · 2018-11-20  · This presentation provides insight in how to consider cybersecurity law as a discipline, and dispels the notion that law as a tool

Biography

Mr.JacksonisamemberoftheISSADCandNOVAchapters,andheholdsCISSP,CEH,andCIPPcertifications. HeworksasaregulatoryattorneyforagovernmentcontractorintheWashingtonDCarea,andheisaregularcontributortotheISSAJournal. Mr.JacksonhasaJ.D.fromtheUniversityofKansas,andanLL.M.fromtheUniversityofArkansas.

Page 3: Approaching Cybersecurity Law · 2018-11-20  · This presentation provides insight in how to consider cybersecurity law as a discipline, and dispels the notion that law as a tool

Abstract

ApproachingCybersecurityLaw- AGuideforInformationSecurityProfessionals

Cybersecuritylawisaconfusingsubject. Therearemanydifferenttypesoflaws,whichaffectdifferentorganizationsindifferentways. Thispresentationprovidesinsightinhowtoconsidercybersecuritylawasadiscipline,anddispelsthenotionthatlawasatoolisallpowerful. Infact,lawcanbequitelimited,slow,andbackwardlooking.Finally,thepresentationendswithadiscussionofthefutureofcybersecuritylaw,andhowtoidentifythecomingtrends.

Page 4: Approaching Cybersecurity Law · 2018-11-20  · This presentation provides insight in how to consider cybersecurity law as a discipline, and dispels the notion that law as a tool

TonightWeWillCover:

• HowtoViewCybersecurityLaw

• LawisNotAllPowerful– It’sImperfect

• FutureofCybersecurityLaw

Page 5: Approaching Cybersecurity Law · 2018-11-20  · This presentation provides insight in how to consider cybersecurity law as a discipline, and dispels the notion that law as a tool

Topic1HowtoViewtheCybersecurityLawLandscape

Page 6: Approaching Cybersecurity Law · 2018-11-20  · This presentation provides insight in how to consider cybersecurity law as a discipline, and dispels the notion that law as a tool

MostCybersecurityLawisLearnedfortheCISSPExam• CISSPDomain1– Law• Cybercrime• IntellectualProperty• Privacy• DifferentLegalSystems

Page 7: Approaching Cybersecurity Law · 2018-11-20  · This presentation provides insight in how to consider cybersecurity law as a discipline, and dispels the notion that law as a tool

ChallengesinUnderstandingtheLawinCISSPDomain1• It’sconfusing.Ahodgepodgeoftopics.• It’soverwhelming.Alotofforeigninformation.• Itneedssomeorganization.Aroadmap.

Page 8: Approaching Cybersecurity Law · 2018-11-20  · This presentation provides insight in how to consider cybersecurity law as a discipline, and dispels the notion that law as a tool

BettertoViewCybersecurityLawbyWhoisImpacted

Individuals

International

GovernmentBusinesses

IndividualsBusinessesGovernment

U.S.

Page 9: Approaching Cybersecurity Law · 2018-11-20  · This presentation provides insight in how to consider cybersecurity law as a discipline, and dispels the notion that law as a tool

LawsthatImpactIndividuals

• 2CategoriesofIndividuals• GeneralPublic• Criminals

• CybersecuritylawsaredesignedtoseparatetheCriminalsfromtheGeneralPublic• Butalso,perhaps,toencourageE-Commerce

Individuals

Page 10: Approaching Cybersecurity Law · 2018-11-20  · This presentation provides insight in how to consider cybersecurity law as a discipline, and dispels the notion that law as a tool

LawsSeparatingIndividualsandCriminals

• HackingGovernmentsorBanks• OrganizedCrime• SellingTradeSecrets• IdentityTheft• SellingPasswordstoAccounts

Page 11: Approaching Cybersecurity Law · 2018-11-20  · This presentation provides insight in how to consider cybersecurity law as a discipline, and dispels the notion that law as a tool

LawsEncourageE-Commerce?

• WhyE-Commerce• ReducesCosts• ImprovesAccuracy• Faster

• WhyEncourage• FrameworkforGlobalElectronicCommerce(90s)• Don’twanttokillthe“GoosethatLaystheGoldenEgg”

• NotExplicitlyStated• MoreofanInference– I’msuggestingthatthelawencouragese-commerce.

Page 12: Approaching Cybersecurity Law · 2018-11-20  · This presentation provides insight in how to consider cybersecurity law as a discipline, and dispels the notion that law as a tool

LawsthatImpactBusinesses

Notallbusinessesareaffectedbyallcybersecuritylaws– OnlyCertainBusinesses…

• Telecom• HealthCare• GovernmentContractors• Banks

Businesses

Page 13: Approaching Cybersecurity Law · 2018-11-20  · This presentation provides insight in how to consider cybersecurity law as a discipline, and dispels the notion that law as a tool

LawsthatImpactBusinessescon’d

… AndonlyCertainTypesofData

• HealthInformation• FinancialInformation• VideoRecords(BlockbustertoNetflix)• SchoolRecords• GovernmentData

Page 14: Approaching Cybersecurity Law · 2018-11-20  · This presentation provides insight in how to consider cybersecurity law as a discipline, and dispels the notion that law as a tool

BusinessandGovernmenthaveaBifurcatedRelationship• Partnership• ShareData• WorkTogetheronInvestigatingThreats

• Regulation• EnforceRegulations• PenalizeViolations

• Thelinescangetblurred!

Page 15: Approaching Cybersecurity Law · 2018-11-20  · This presentation provides insight in how to consider cybersecurity law as a discipline, and dispels the notion that law as a tool

LawsthatImpactGovernment

• SpecificGovernmentAgencies• LawEnforcement• Military• ExecutiveAgencies

• HowlawsimpacttheGovernment• LimitpowerwithintheUS• DefendUSInterestsinternationally

Government

Page 16: Approaching Cybersecurity Law · 2018-11-20  · This presentation provides insight in how to consider cybersecurity law as a discipline, and dispels the notion that law as a tool

WhichPartsofGovernmenthavetheirPowerLimited• LawEnforcement• Surveillance

• Military• DomesticOccupation

• GovernmentAgencies• PrivacyAct• AdministrativeProceduresAct

Page 17: Approaching Cybersecurity Law · 2018-11-20  · This presentation provides insight in how to consider cybersecurity law as a discipline, and dispels the notion that law as a tool

HowdoesInternationalfitintothismodelofCybersecurityLaw?• Inaglobaleconomy,andinanelectronicworld,thebordersarelessrestrictive.

• Samegroupofparticipants• Individuals• Businesses• Government

• PrimarilyUSGovernmentfacilitatedrelationship

• Canbedifficulttoenforceacrossborders

Page 18: Approaching Cybersecurity Law · 2018-11-20  · This presentation provides insight in how to consider cybersecurity law as a discipline, and dispels the notion that law as a tool

WhatTypesofLegalIssuesImpactInternational?• Individuals• Extradition

• Businesses• ExportControlledTrade• TradeSecretTheft

• Governments• Cyberwar• Cyberterrorism• Cyberespionage

Page 19: Approaching Cybersecurity Law · 2018-11-20  · This presentation provides insight in how to consider cybersecurity law as a discipline, and dispels the notion that law as a tool

PuttingitalltogetherintoaCybersecurityLawLandscape

Individuals

International

GovernmentBusinesses

IndividualsBusinessesGovernment

Extradition ExportControlCyberwar

U.S. SurveillanceProtectData

PartnershipRegulation

Page 20: Approaching Cybersecurity Law · 2018-11-20  · This presentation provides insight in how to consider cybersecurity law as a discipline, and dispels the notion that law as a tool

Topic2Thelawisn’tAllPowerful– It’sImperfect

Page 21: Approaching Cybersecurity Law · 2018-11-20  · This presentation provides insight in how to consider cybersecurity law as a discipline, and dispels the notion that law as a tool

Lawisn’tAllPowerful– Let’sDispelsomeMyths

Myths• Lawcanapplyeverywhere

• Lawappliestoanynewsituation

• Lawkeepsupwiththechangesofthetimes

Actuality• Lawislimited

• Lawisbackwardlooking(atfirst)

• Lawisslowtochange

Page 22: Approaching Cybersecurity Law · 2018-11-20  · This presentation provides insight in how to consider cybersecurity law as a discipline, and dispels the notion that law as a tool

TheLawisLimited – HowisitLimited?

• Thelawislimitedtocertainpeopleandcertainsituations

• Forourpurposes,thejournalismquestionsmaybemoreusefultounderstandthoselimitations:

• Who – theparty/partiesinvolved• What – theactionsinquestion• Where – thejurisdiction• When – thecircumstancesaroundtheactions• How – theenforcementmechanism• Why– thepolicyreasons

Page 23: Approaching Cybersecurity Law · 2018-11-20  · This presentation provides insight in how to consider cybersecurity law as a discipline, and dispels the notion that law as a tool

Let’susetheComputerFraudandAbuseActasanExample• ComputerFraudandAbuseAct(CFAA)wasthefirstbigcybersecuritylaw.(18U.S.C.§ 1030)• Criminalizesunauthorizedaccesstogovernmentandfinancialinstitutioncomputers.• TheDOJhasapracticemanualonCFAAtoprovidemoreguidanceonpriorcaselaw.• Theactuallawissomewhatconvoluted,soI’mabridgingthelawslightlyforourdiscussion.

Page 24: Approaching Cybersecurity Law · 2018-11-20  · This presentation provides insight in how to consider cybersecurity law as a discipline, and dispels the notion that law as a tool

Here’stheCFAAinSimplifiedForm

• Whoever,intentionallyaccessesacomputerwithoutauthorization,orexceedsauthorizedaccess,• andtherebyobtainsinformationcontainedinafinancialrecordofafinancialinstitution…• orinformationfromadepartmentoragencyoftheUnitedStates,…

• shallbepunished …byafineorimprisonment…• TheU.S.SecretService,theFBI,theSecretaryofTreasuryandtheAttorneyGeneralshallhavetheauthoritytoinvestigate.

Page 25: Approaching Cybersecurity Law · 2018-11-20  · This presentation provides insight in how to consider cybersecurity law as a discipline, and dispels the notion that law as a tool

HowtheCFAAcanbeanalyzedwiththejournalismquestions• Who – Whoever

• NaturalPerson(versusalegalperson– Corporation)• What –IntentionallyAccessesaComputer

• Withoutauthorization• Exceedsauthorization

• Where – Federal(implied– 18USC)• When – obtaininformationfrom:

• federalgovernment• financialinstitution

• How – FinesPrison/SecretService,Treasury,FBI/AG• Why – notrelevant– policyargumentsareweaker

• 1980s- movieWarGames

Page 26: Approaching Cybersecurity Law · 2018-11-20  · This presentation provides insight in how to consider cybersecurity law as a discipline, and dispels the notion that law as a tool

WhereistheCFAALimited?

• TheCFAAappliesonlytocertainsituations• FederalGovernment/FinancialInstitutioncomputers• WithoutAuthorization/ExceedsAuthorization• FederalLawEnforcementInvestigates

Page 27: Approaching Cybersecurity Law · 2018-11-20  · This presentation provides insight in how to consider cybersecurity law as a discipline, and dispels the notion that law as a tool

WheretheCFAADoesNotApply

• Notyourneighbor’scomputer.• (notafederalorbankcomputer)

• Notfilingyourstatetaxreturn.• (authorized)

• NotmistypingaURLintoyourwebbrowser.• (notintentional)

Page 28: Approaching Cybersecurity Law · 2018-11-20  · This presentation provides insight in how to consider cybersecurity law as a discipline, and dispels the notion that law as a tool

LawisLimited- InConclusion

• Onlycertain:• People• Locations• Activities• Circumstances

• Policy– the“Why”Doesn’tReallyMatter.• KeyisUnderstandingtheLimits.

Page 29: Approaching Cybersecurity Law · 2018-11-20  · This presentation provides insight in how to consider cybersecurity law as a discipline, and dispels the notion that law as a tool

LawLooksBackward(beforeitlooksforward)• Ourlegalsystemisbasedonprecedent – whatdecisionscamebefore– “StareDecisis”(letdecisionstand)• Thisforceseverylegalanalysistostartwithwhatlawcamebefore.• Howdoesthisnewsituationfitwithapriorlegalissue?

Page 30: Approaching Cybersecurity Law · 2018-11-20  · This presentation provides insight in how to consider cybersecurity law as a discipline, and dispels the notion that law as a tool

Let’sReturntothe1990sforanExample– AOLand“Spam”• AOLwasamajortargetfor“spam”(nowknownasunsolicitedcommercialemail).• In1990s,AOLsuedspammersaspartofitsanti-spamstrategy.• Itwasdifficultbecausethelawsdidn’teasilyaddressthisnewphenomenon.• ExpensivetoProsecute.• BTW,IworkedatAOLfightingspaminthe1990s.

Page 31: Approaching Cybersecurity Law · 2018-11-20  · This presentation provides insight in how to consider cybersecurity law as a discipline, and dispels the notion that law as a tool

AOLWonLawsuitsinPartUsing“TrespasstoChattels”• Definitions

• Tort– civilwrong– intentional- OldCommonLaw(fromEngland)• Chattelsarethings.• Trespassinthiscase=Interference (“damagessufferedbyreasonofthelossofitsuse.”)

• Seee.g.,AmericaOnline,Inc.v.IMSet.al.,24F.Supp.2d548(E.D.Va.,1998)

• So,thelawthatwasviolatedwas• Someonehadinterferedwiththeuseandenjoymentofsomeoneelse’sthingsthatcauseddamagethatcouldbecalculated.(thisishighlysimplifiedlanguage)

• ForAOL–• SpammershadinterferedwithAOL’suseandenjoymentofitsmailserverstoserveemailtoitsuserbase,andcostAOLtimeandmoneytoprocesstheextraemails,and”burdenedtheirequipment”(mailservers)

Page 32: Approaching Cybersecurity Law · 2018-11-20  · This presentation provides insight in how to consider cybersecurity law as a discipline, and dispels the notion that law as a tool

ChallengestothisLegalTheory

• Spamemailisjustemail.Youprovidetheserviceofemailtoyourusers,itgoeswiththeterritory.• 1st amendmentviolation?Nostateaction.• Increasedcostofmailserverscouldbeattributedtotheincreaseinmembership- moreusers,moremailservers– notthisemail.• Interferencerequiredshowingvolumethatdamagedbusiness– whatcausedtheburdentotheequipment?

Page 33: Approaching Cybersecurity Law · 2018-11-20  · This presentation provides insight in how to consider cybersecurity law as a discipline, and dispels the notion that law as a tool

TheLawLooksForwardandPassesCAN-SPAM• Afewyearslater,CongresspassesCAN-SPAM(Pub.L.108-

187,2003).

• Changesthelegalquestionfrominterference tounsolicited.• DropstheVolumeanalysisrequirement.• Unwantedisenough.• Damagesquantifiedbyemailasaunitandnotinaggregate.• But,Lawlooksbackwardbeforeitcanlookforward.

Page 34: Approaching Cybersecurity Law · 2018-11-20  · This presentation provides insight in how to consider cybersecurity law as a discipline, and dispels the notion that law as a tool

TheLawisSlowtoChange

• Oneofthebiggestchallengestoaddressingcybersecuritylawneeds,isthatthelawmakingprocessissoslow.• Cybersecuritythreatsarisequickly,anditcanbefrustratingtoseeklegalactiononlytofindthatthereisnoeasyfix– noapplicablelawforasituation.• Inordertotalkaboutwhythelawisslowtochangeweneedtolookathowlawsaremade.

Page 35: Approaching Cybersecurity Law · 2018-11-20  · This presentation provides insight in how to consider cybersecurity law as a discipline, and dispels the notion that law as a tool

HowLawsareMade– aCivicsReview• U.S.Constitution:ThreeBranchesofGovernment

• There’saBalanceofPowers

CongressMakesthelaw

PresidentEnforcesthelaw

CourtsInterpretsthe

law

Page 36: Approaching Cybersecurity Law · 2018-11-20  · This presentation provides insight in how to consider cybersecurity law as a discipline, and dispels the notion that law as a tool

HowtheLawsAreMadeamongtheThreeBranches• Butitisaserialprocesstoo:

• Ofcourse,theprocessisnotstrictlyserial- Courtscanreviewstatutes.• Thepointisthatmakingalawisajourneythroughthethreebranchesandtheirlawmakingprocesses.

CongressLegislativeStatutory

Makesthelaw

AgenciesAdministrativeRegulatory

Enforcesthelaw

CourtsJudicial

Interpretsthelaw

CaseorControversy

AuthorizingStatute

Page 37: Approaching Cybersecurity Law · 2018-11-20  · This presentation provides insight in how to consider cybersecurity law as a discipline, and dispels the notion that law as a tool

LegislativeProcess– WhyAreTheresoManyLawsinCongress?• Let’sreviewthenumbersbasedon“cyber*”inthiscurrentCongressionalsession.• BillisproposedinHouse(491)• Committee(132)

• Hearing• Report• Vote

• FullFloorVote(98)• SameProcessSenate(27)• Presidentsigns(19)– thenitbecomeslaw.• Manybillsareproposed,butveryfewbecomelaw!

Page 38: Approaching Cybersecurity Law · 2018-11-20  · This presentation provides insight in how to consider cybersecurity law as a discipline, and dispels the notion that law as a tool

RegulatoryProcess– HowGovernmentAgenciesMakeLaws• FederalRegisterasPaperofRecord(www.federalregister.gov)• Theprocesstocreateanewregulation:

• UnifiedAgenda(www.reginfo.gov)• NoticeofProposedRuleMaking• NoticeandCommentPeriod(www.regulations.gov)• FinalRule

• Therearesubsteps withinthisprocess.Thenumbersvarydependingontheissueandhowmanycommentsarereceived.• Commentsfromthepubliccanaffecttheregulation.• OnlytheFinalRulesmatter!Andonlyaftertheireffectivedate!!

Page 39: Approaching Cybersecurity Law · 2018-11-20  · This presentation provides insight in how to consider cybersecurity law as a discipline, and dispels the notion that law as a tool

JudicialProcess– HowCourtsDetermineWhetheraLawisGood?• Inordertosue- needacaseorcontroversy• Therearethreelevelsofreview:

• DistrictCourt• CourtofAppeals• SupremeCourt

• StartatDistrictCourt,thenappeal,andappeal.• ThisthreelevelsystemsappliestoStateCourtsandFederalCourts• Note:StateSupremeCourtdecisionscanbereviewedbytheU.S.SupremeCourt.Mirandav.Arizona forexample.

Page 40: Approaching Cybersecurity Law · 2018-11-20  · This presentation provides insight in how to consider cybersecurity law as a discipline, and dispels the notion that law as a tool

JudicialProcesswithNumbers

2409Federalcasesinvolvingcyber(approximately)• DistrictCourt(1,610)67%• CourtofAppeals(562)23%• SupremeCourt(237)10%

• OnlyafewgototheSupremeCourt.

• Thekeyisthatthecasedecisiononlyappliestothejurisdictionofthecourt.

Page 41: Approaching Cybersecurity Law · 2018-11-20  · This presentation provides insight in how to consider cybersecurity law as a discipline, and dispels the notion that law as a tool

LawMakingisaSlowProcess

• Legislative– 2yearcycle• NewCongress– startsover

• Regulatory– 4-8yearcycle• NewAdministration– startover?

• Judicial– 6– 15years• Eachcasecantakemonths/yearstobedecidedateachlevel.

• Very,Veryslow.10to20yearsintotal.• Alotofproposals,veryfewnewlaws.• Verypoliticaltoo.

Page 42: Approaching Cybersecurity Law · 2018-11-20  · This presentation provides insight in how to consider cybersecurity law as a discipline, and dispels the notion that law as a tool

InConclusion:TheLawisNotAllPowerful.• TheLawisImperfect:

• TheLawisLimited– certainpeople,certainsituations• TheLawLooksBackward– precedent– whatlegalissueshappenedprior?

• TheLawSlow toChange– thelawmakingprocesscantakeyears

• Therealityisthatthelawisoftentheantithesistotechnology• TechnologycanApplyBroadly• ItLooksForward• ItisVeryQuicktoChange

• ThisdichotomybetweenLawandTechnologycreatestensionbetweentheLegalandTechnologycommunities

Page 43: Approaching Cybersecurity Law · 2018-11-20  · This presentation provides insight in how to consider cybersecurity law as a discipline, and dispels the notion that law as a tool

Topic3WhatistheFutureofCybersecurityLaw

Page 44: Approaching Cybersecurity Law · 2018-11-20  · This presentation provides insight in how to consider cybersecurity law as a discipline, and dispels the notion that law as a tool

TheFutureofCybersecurityLaw–WheredoWeBegin?• Inordertounderstandthefutureofcybersecuritylaw,westartwiththerelationshipbetweentechnology,business,andlaw.

• AsImentionedtechnologychangesquickly.Thelawslowly.• Thereareactually2lagsbetweenlawandtechnology.

Technology Business Law

Page 45: Approaching Cybersecurity Law · 2018-11-20  · This presentation provides insight in how to consider cybersecurity law as a discipline, and dispels the notion that law as a tool

Law

1st Lag– IfChangeweretoStartSimultaneously,LawwouldLagBehind

TechnologyBusiness

• Technologychangesquickly– Moore’sLaw18mo.• Businesschangesabitslower– 5– 10yearstostartanewbusinessandachievescale.

• Lawchangesveryslowly– 10– 20yearsaspreviouslydiscussed.

Page 46: Approaching Cybersecurity Law · 2018-11-20  · This presentation provides insight in how to consider cybersecurity law as a discipline, and dispels the notion that law as a tool

Law

2nd Lag– ChangeisalsoSerial

Technology

Business

• Youhavetohavetechnologicalinnovationfirst.Sothelagiscumulative.• Cybersecuritylawdevelopmentlagsfarbehindtechnologyinnovation.

Page 47: Approaching Cybersecurity Law · 2018-11-20  · This presentation provides insight in how to consider cybersecurity law as a discipline, and dispels the notion that law as a tool

ThefutureofCybersecurityLawisintheNexusofBusinessandLaw• Betweentechnologyandbusinessistheideaofwhatcanbemonetizedorcommercialized.WhatisScalable.

• WhatproblemsarisefromscalingthatBusinessescan’taddressthroughtechnology?Whatarethesurprises?• That’sthefutureofcybersecuritylaw.Howtoaddressthesurprises.• Emailasanexample- RFC822(1980),ISPs(1990s),Spam(late90s),CAN-SPAM(2003).

Technology Business Law

Scalable Surprises

Page 48: Approaching Cybersecurity Law · 2018-11-20  · This presentation provides insight in how to consider cybersecurity law as a discipline, and dispels the notion that law as a tool

NewCybersecurityLawstoKnow

ByJurisdiction:

• California• SupremeCourt• FTC• RegulatoryAgencies• Europe• Congress

Page 49: Approaching Cybersecurity Law · 2018-11-20  · This presentation provides insight in how to consider cybersecurity law as a discipline, and dispels the notion that law as a tool

California– PushingtheFederalEnvelopein2018• InternetofThingslaw(SecurityofConnectedDevices,SB327,Cal.Civ.Code,Title1.81.26,§ 1798.91.04et.seq.)

• Manufacturers(notdistributors)• Connecteddevices(IPorBluetooth)• Reasonablesecurityfeature(natureandfunctionofdevice)

• CaliforniaConsumerPrivacyAct(AB375,Cal.Civ.Code,Title1.81.5,§ 1798.100et.seq.)• Effective1/1/2020• Consumerscanrequestthatbusinessdisclosethepersonalinformationcollectedandwhathas

beendonewiththatinformation.GDPRlike.• InresponsetoCambridgeAnalytica (FacebookisinCalifornia)

• NetNeutralitylaw(CaliforniaInternetConsumerProtectionandNetNeutralityActof2018,SB822,Cal.Civ.Code,Title15,§ 3100et.seq.)

• Unlawfultoblock,impair,ordegrade,lawfulInternettrafficbasedoncontent,application,service,ordevice

• Forbothfixed(broadband)andmobileInternetserviceproviders

Afewoverallthoughts:• CaliforniatendstobeProgressive– embracingchangesfirst.• AlltechnologyroadsleadtoCalifornia.(SiliconValley)• InferredPoliticalFightbetweenCaliforniaandtheU.S.Government.

Page 50: Approaching Cybersecurity Law · 2018-11-20  · This presentation provides insight in how to consider cybersecurity law as a discipline, and dispels the notion that law as a tool

SupremeCourt

• Carpenterv.U.S.(No.16-402,2018)• CellSiteLocationInformation(12,898locationpointsover127days)

• Question– reasonableexpectationofprivacy- cellphonesaselectronictrackersinyourpocket

• CourtRuled:LawEnforcementneedsawarrantforcelllocationdata

• Surveillance– 4th Amendmentand”new”technology• CareFirst,Inc.v.Attias (No.17-641,2017)

• CertDeniedFeb.20,2018• LowerCourtRulingstands(Attias v.CareFirst,Slip.Op.16-1708,DCCt.App.,2017)

• Courtheldthatdamagescouldbeawardedforthreatoffutureidentitytheftresultingfromadatabreach.

• Unusual– courtsHATEtospeculateaboutfutureharm- the“maybes”• So,whatdoesthismeanforCybersecurityInsuranceclaims/databreach

costs?

Page 51: Approaching Cybersecurity Law · 2018-11-20  · This presentation provides insight in how to consider cybersecurity law as a discipline, and dispels the notion that law as a tool

FTCandCybersecurity• UnfairorDeceptiveActsorPracticesinorAffectingCommerce isabroadumbrellaofauthorityunder§5.

• FTCv.Wyndham(3rd Cir.No.14-3514,2015)• FTC– haspursuedcasesagainstcompanieswithdeficientcybersecurity

practices• Wyndhamhadthreedatabreaches– itfailedtousereadilyavailablesecurity

measures(likefirewalls)– claimedtobethevictim• WyndhamclaimedFTCdidn’thavetheauthoritytoregulatecybersecurity

matters.• Businessesmustprotectcustomerpersonalinformation,andFTCcanpursue

caseswherethebusinessesdon’t.• LabMD v.FTC(11th Cir.,No.16-16270,2017)

• Factsofthiscaseareodd– billingmangerforalabwithafilesharingprogram/securitycompanydownloadedpersonaldataof9,300consumers/senttheinformationtotheFTC

• FTCclaimedabroadfailureofLabMD toprotectpersonaldata,buttheclaimwastoobroad.Theceaseanddesistordermustbespecifictothecaseinpoint.

• Takentogether,FTChaspowertoregulatecybersecurityindatabreaches,butthatpowerisproportionaltotheincident.

Page 52: Approaching Cybersecurity Law · 2018-11-20  · This presentation provides insight in how to consider cybersecurity law as a discipline, and dispels the notion that law as a tool

RegulatoryAgencies

SEC• CommissionStatementandGuidanceonPublicCompanyCybersecurityDisclosures(83FR8166,Feb.26,2018)• Mustinforminvestorsaboutcybersecurityincidentsandrisksbasedon:• Materialityofriskand• Importanceofcompromisedinformation

DOD• DODGuidanceforReviewingSystemsSecurityPlansandtheNISTSP800-171SecurityRequirementsNotYetImplemented(83FR17807,Apr.24,2018)

• DODdraftedguidanceforcontractorstouseinimplementing800-171andisseekingcomments.Admissionthattherearechallengeswithmeetingtheserequirements?Frombothsides?

• ConsiderthebifurcatedroleofGovernmentandBusiness– sharinginformationasapartnershipandregulatoryenforcement.

Page 53: Approaching Cybersecurity Law · 2018-11-20  · This presentation provides insight in how to consider cybersecurity law as a discipline, and dispels the notion that law as a tool

Europe

GeneralDataProtectionRegulation(GDPR)(EU)2016/679• ImplementationDate:May25,2018• PrivacyShield– CurrentU.S.DataSharingScheme-beingsuedinEuropeanCourt– likeSafeHarbor?• DataSecurityConcerns

• Processing– broad• Pseudonymized/AnonymizedData– assumestraceability• GeneralSecurityRequirement– Art32,CIATriad• MonitoringandProfiling(AI)

Page 54: Approaching Cybersecurity Law · 2018-11-20  · This presentation provides insight in how to consider cybersecurity law as a discipline, and dispels the notion that law as a tool

CongressionalActions

• InthisCongress– NoBIGchanges• NISTSmallBusinessCybersecurityAct(Pub.L.115-236,Aug.14,2018)

• CongressdirectsNISTtodevelopCybersecurityFrameworkforSmallBusinessesoutofexistingfunding

• DHS- CybersecurityandInfrastructureSecurityAgencyActof2018(H.R.3359,Pub.L.115-TBD,Nov.16,2018)• ReorganizetheDHSCybersecuritydepartments(internalchangeinoperations)

• InthepreviousCongress– afewchanges• CybersecurityInformationSharingAct2015(Pub.L.114-113)

• CreatesframeworkforbusinessestosharecyberthreatswiththeGovernmentwhocanreportbacktothewholesubscribership

• TradeSecretsAct2016(Pub.L.114-153)• Createsafederalrightofactionfortradesecrettheftcases.

• Point– lawschangeslowlyandinfrequently.

Page 55: Approaching Cybersecurity Law · 2018-11-20  · This presentation provides insight in how to consider cybersecurity law as a discipline, and dispels the notion that law as a tool

NewBusinessRisksontheHorizon–LookingintoaCrystalBall• CEHArmy

• Risk- HackBack?• Privateindustrywithoffensivecapability

• Botnets• Howtoassessliability– Masters,Bots,Networks?• DOJGuidance2015easierprosecution– subpoenascanbefiledcentrally

• IoT• RiskofInsecurity– Californiaaheadoftime,orrightontime?• Wearabletech– timeandlocationinformation– cellphonesashomingdevices– whataboutFitbits?

• Blockchain• Bitcoin- FinancialRegulation- inadecentralizedenvironment?• Supplychain/e-contracts– puttingattorneysoutofbusiness?• Traceability/Integrity- Riskofunplannedforking?

Page 56: Approaching Cybersecurity Law · 2018-11-20  · This presentation provides insight in how to consider cybersecurity law as a discipline, and dispels the notion that law as a tool

RevisitingtheCybersecurityLawLandscape

Individuals

International

GovernmentBusinesses

IndividualsBusinessesGovernment

Extradition ExportControlCyberwar

U.S. SurveillanceProtectData

PartnershipRegulation

Page 57: Approaching Cybersecurity Law · 2018-11-20  · This presentation provides insight in how to consider cybersecurity law as a discipline, and dispels the notion that law as a tool

PerennialIssuesthatAriseintheCybersecurityLawLandscape• Individuals

• Surveillance– 4thAmendment– Warrants?• E-CommerceEncouragement– Riskofdatabreach

• Business• Regulation– howfartogotoincreasesecurity• Partnership– howmuchsharing,whatcanchangeovertime• InternationalBusinessTransactions– exports,foreignpolicy

• Government• InternationalCriminalEnforcement– extradition,internationalsurveillance,protectingtradesecrets

• JustWarinCyberTimes– borderlessconflict- atimebeyondthenationstate?

Page 58: Approaching Cybersecurity Law · 2018-11-20  · This presentation provides insight in how to consider cybersecurity law as a discipline, and dispels the notion that law as a tool

InConclusion

• Cybersecuritylawcanbeorganizedbywhoisimpactedbythelaw– Individuals,Businesses,Government,International• Lawasacybersecuritytoolisnotallpowerful– it’slimited,backwardlooking,andslowtochange.Theoppositeoftechnology.• ThefutureofCybersecurityLawliesinthenexusbetweentechnology,business,andlaw.Wediscussed:(1)thenewlawsin2018,(2)thewhat’scomingnext,and(3)thewhat’salwaysatissue.

Page 59: Approaching Cybersecurity Law · 2018-11-20  · This presentation provides insight in how to consider cybersecurity law as a discipline, and dispels the notion that law as a tool

AdditionalResources

• HabeasData,Privacyvs.RiseofSurveillanceTech,CyrusFarivar,MelvilleHousePublishing,2018.• CybersecurityLaw,JeffKosseff,JohnWiley&Sons,2017.• FederalLawsRelatingtoCybersecurity:OverviewofMajorIssues,CurrentLaws,andProposedLegislation,EricA.Fisher,December12,2014,CRSReportR42114,CongressionalResearchService.• Websites

• www.congress.gov (AllLegislativeActions)• www.federalregister.gov (DailyNewspaperforAgencies)• www.ncsl.org (CybersecurityResearchatStateLevel)

Page 60: Approaching Cybersecurity Law · 2018-11-20  · This presentation provides insight in how to consider cybersecurity law as a discipline, and dispels the notion that law as a tool

[email protected]


Sovereign California Dispels Myth that California is Ungovernable

Sovereign California Dispels Myth that California is Ungovernable

The Privacy, Data Protection and Cybersecurity Law Review, Third Edition

The Privacy, Data Protection and Cybersecurity Law Review, Third Edition

Cybersecurity, the Law, and Protecting America's Cities

Cybersecurity, the Law, and Protecting America's Cities

Cybersecurity Standards and Law

Cybersecurity Standards and Law

Law w04-global cybersecurity-laws_regulations_and_liability

Law w04-global cybersecurity-laws_regulations_and_liability

Clearwater - Cybersecurity for Lawyers: The Law …...Cybersecurity for Lawyers: The Law and Science of Hacking and Data Breach Joseph E. Kennedy Professor of Law UNC School of Law

Clearwater - Cybersecurity for Lawyers: The Law …...Cybersecurity for Lawyers: The Law and Science of Hacking and Data Breach Joseph E. Kennedy Professor of Law UNC School of Law

Tugas Hukum Bisnis Dan TI_Federal Law Relating to Cybersecurity

Tugas Hukum Bisnis Dan TI_Federal Law Relating to Cybersecurity

CyberSecurity: Protecting Law Firms - Vanderburg - JurInnov

CyberSecurity: Protecting Law Firms - Vanderburg - JurInnov

Cybersecurity: How To Protect Your Law Firm Data

Cybersecurity: How To Protect Your Law Firm Data

Cybersecurity Law, Strategy, and Policy in Japan … & Policy Framework of Cybersecurity in Japan 2 Law The Basic Act on Cybersecurity [Legal means of “Cybersecurity,” basicprinciples,

Cybersecurity Law, Strategy, and Policy in Japan … & Policy Framework of Cybersecurity in Japan 2 Law The Basic Act on Cybersecurity [Legal means of “Cybersecurity,” basicprinciples,

Law Firm Cybersecurity: Practical Tips for Protecting Your Data

Law Firm Cybersecurity: Practical Tips for Protecting Your Data

P ratt’s Privacy & cybersecurity Law

P ratt’s Privacy & cybersecurity Law

Macau Cybersecurity Law General Introduction and Impact ...

Macau Cybersecurity Law General Introduction and Impact ...

ISACA - China Cybersecurity Law Presentation - Kyle Lai - v3.2

ISACA - China Cybersecurity Law Presentation - Kyle Lai - v3.2

Cybersecurity Law, Strategy, and Policy in Japan September ... · Cybersecurity Law, Strategy, and Policy in Japan September 2016 Masanori Sasaki ... to guarantee the safety and reliability

Cybersecurity Law, Strategy, and Policy in Japan September ... · Cybersecurity Law, Strategy, and Policy in Japan September 2016 Masanori Sasaki ... to guarantee the safety and reliability

African Union Perspectives on Cybersecurity and … Union Perspectives on Cybersecurity and Cybercrime ... ECCAS Model Law/CEMAC ... on the International Law and State Behavior in

African Union Perspectives on Cybersecurity and … Union Perspectives on Cybersecurity and Cybercrime ... ECCAS Model Law/CEMAC ... on the International Law and State Behavior in

Cybersecurity Guide for State and Local Law Enforcement

Cybersecurity Guide for State and Local Law Enforcement

NIS Directive - First cybersecurity law in …...The first cybersecurity law in Luxembourg is coming 03 Introduction The Directive (EU) 2016/11481 (hereafter ‘the NIS Directive’)

NIS Directive - First cybersecurity law in …...The first cybersecurity law in Luxembourg is coming 03 Introduction The Directive (EU) 2016/11481 (hereafter ‘the NIS Directive’)

The Privacy, Data Protection and Cybersecurity Law Review

The Privacy, Data Protection and Cybersecurity Law Review

LAW 24 ON CYBERSECURITY · LAW ON CYBERSECURITY Pursuant to the Constitution of the Socialist Republic of Vietnam; The National Assembly hereby promulgates the Law on Cybersecurity.

LAW 24 ON CYBERSECURITY · LAW ON CYBERSECURITY Pursuant to the Constitution of the Socialist Republic of Vietnam; The National Assembly hereby promulgates the Law on Cybersecurity.