Privacy & Security UpdateJune 16, 2015 Webinar

Mike GeskeGESKE COUNSEL, LLC

Washington, DC202.904.1077

Michael.Geske@GeskeCounsel.com                                                                                              

1

2

Privacy & Security Update

1. Benefits from Self-Reporting Data Breaches to DOJ, FTC

2. Operating Securely: Risk Management v. Firewalls

3. New rules about NSA bulk collection and use of metadata

• USA Freedom Act; and• ACLU v. Clapper, No. 14-42-cv (2d Cir. May 7, 2015)

FTC Statement (May 20, 2015): If the FTC Comes to Call

Ass’t AG Caldwell Speech (May 20, 2015):Remarks at the Georgetown Cybersecurity Law Institute

3

Privacy & Security Update Benefits from Self-Reporting Data Breaches to DOJ, FTC

FTC Statement (May 20, 2015):

An FTC data-breach or securityinvestigation asks:

Despite breaches or data security problems, were the company’s data security practices,

including its response,on balance, reasonable?

4

Privacy & Security Update Benefits from Self-Reporting Data Breaches to DOJ, FTC

FTC Statement (May 20, 2015): If the FTC Comes to Call

Company’s response is an essential element of FTC’s inquiry• Help affected consumers• Cooperate with criminal, law-enforcement agencies against hackers

“In our eyes, a company that has reported a breach tothe appropriate law enforcers and cooperated with them

has taken an important step to reduce the harm from the breach.…

It’s likely we’d view that company more favorablythan a company that hasn’t cooperated.”

5

Privacy & Security Update Benefits from Self-Reporting Data Breaches to DOJ, FTC

FTC Statement (May 20, 2015): If the FTC Comes to Call

FTC data-security investigations are non-public

Can request information and documents, including from

• Consumers• Vendors and banks• Other companies• Employees

6

Privacy & Security Update Benefits from Self-Reporting Data Breaches to DOJ, FTC

FTC Statement (May 20, 2015): If the FTC Comes to Call• Information security plan

• Employee handbooks; training• Cost effectiveness of available defenses• Audits, risk assessments

• Privacy policies; security promises to consumers• Compliance v. policy

• Circumstances of breach• What happened• What protections were in place• What consumer harm is likely; any consumer complaints• How company responded

7

Privacy & Security Update Benefits from Self-Reporting Data Breaches to DOJ, FTC

Ass’t AG Caldwell Speech (May 20, 2015):

Joint Announcement of FTC Statement• General View: Hacked companies are victims

Recounts cooperative take-downs of attacks, capture of hackers• Private sector• DOJ, FBI, DHS, Secret Service, Dep’t of State, Foreign Law Enforcers

Cybersecurity Unit in CCIPS (Cyber Crime and Intellectual Property Section)• Self-reporters gain Unit’s expertise, forensic tools, legal authority for warrants

8

Privacy & Security Update Benefits from Self-Reporting Data Breaches to DOJ, FTC

9

Privacy & Security Update Operating Securely: Risk Management v. Firewalls

*NACD Cyber-Risk Oversight Handbook (2014) at 4. You can download a copy of the Handbook at the NACD website.

“One of the defining characteristics of these attacks is that they

can penetrate virtually all of a company’s perimeter defense

systems, such as firewalls or intrusion detection systems:

Intruders … exploit all layers of security vulnerabilities

until they achieve their goal.

In other words, if a sophisticated attacker targets a company’s

system, they will almost certainly breach them.”*

All risks are not the same;All data are not crown jewels.

10

Privacy & Security Update Operating Securely: Risk Management v. Firewalls

*Principle 5 is discussed on pp. 4 & 14 of the NACD Cyber-Risk Oversight Handbook. The NACD Handbook is expressly consistent with CKS guidance to avoid “siloed” thinking. See pp. 7, 13.

NACD Handbook Principle 5:

“Board-management discussion of cyber risk should include

identification of which risks to avoid, accept, mitigate, or

transfer through insurance as well as specific plans

associated with each approach.”*

DOJ White Paper, Best Practices for Victim Response and Reporting of Cyber Incidents

(Apr. 29, 2015).

NIST, Computer Incident Handling Guide, Special Publication 800-61 Rev. 2 (Aug. 2012).

NIST, Framework for Improving CriticalInfrastructure Cybersecurity (Feb. 12, 2014).

CSIS/DOJ Active Cyber Defense Experts Roundtable,Summary of Topics and Views (Mar. 10, 2015).

11

Privacy & Security Update Operating Securely: Risk Management v. Firewalls

12

Privacy & Security Update Operating Securely: Risk Management v. Firewalls

Have a Response Plan• Actionable: personnel, procedure, equipment• Identify and protect cyber assets• Collect, preserve data about incident• How to continue operations while responding to attack

Make contacts/relationships prior to breach with• Local FBI field office, DHS (NCCIC), state law enforcement• Consultants, lawyers

Do NOT “hack back”• Generally unlawful under U.S. statutes• Risks warfare with an unknown adversary• Unlikely to succeed

13

Privacy & Security Update Operating Securely: Risk Management v. Firewalls

ORDER OF CYBER-RISK MANAGEMENT DECISIONS

1. Data, assets, services meriting most protection

Who must have access

Under what conditions

2. Appropriate protections and limits for each rank

3. Test, review, learn, amend

Before and after next hack

ACLU v. Clapper (2d Cir. May 7, 2015)

Specific, relevant request required for government access

USA Freedom Act (June 2, 2015)

Metadata still collected

Held by companies not NSASpecific, relevant request required for government access

Independent amici at FISC, FISC-R

14

Privacy & Security Update USA Freedom Act and ACLU v. Clapper

Wise Agnostics

Will USA Freedom Act be effective?

Executive Order No. 12333

Director Clapper admittedly and demonstrably lied under oath to CongressMandated reports will not be under oath, just statutorily mandated

How long will Communication providers keep the data?

Where and under what conditions

Integrity matters

Data-wealthiest man of all history is now a data-begger

15

Privacy & Security Update USA Freedom Act and ACLU v. Clapper

MICHAEL R. GESKELeader, CKS Privacy & Security

GESKE COUNSEL, LLC202.904.1077

Washington, DCGeskeCounsel@Outlook.com