June 16 2015 P&S Update Webinar
-
Upload
michael-r-geske -
Category
Documents
-
view
124 -
download
1
Transcript of June 16 2015 P&S Update Webinar
![Page 1: June 16 2015 P&S Update Webinar](https://reader035.fdocuments.net/reader035/viewer/2022073113/587cd2321a28abfa018b7f41/html5/thumbnails/1.jpg)
Privacy & Security UpdateJune 16, 2015 Webinar
Mike GeskeGESKE COUNSEL, LLC
Washington, DC202.904.1077
1
![Page 2: June 16 2015 P&S Update Webinar](https://reader035.fdocuments.net/reader035/viewer/2022073113/587cd2321a28abfa018b7f41/html5/thumbnails/2.jpg)
2
Privacy & Security Update
1. Benefits from Self-Reporting Data Breaches to DOJ, FTC
2. Operating Securely: Risk Management v. Firewalls
3. New rules about NSA bulk collection and use of metadata
• USA Freedom Act; and• ACLU v. Clapper, No. 14-42-cv (2d Cir. May 7, 2015)
![Page 3: June 16 2015 P&S Update Webinar](https://reader035.fdocuments.net/reader035/viewer/2022073113/587cd2321a28abfa018b7f41/html5/thumbnails/3.jpg)
FTC Statement (May 20, 2015): If the FTC Comes to Call
Ass’t AG Caldwell Speech (May 20, 2015):Remarks at the Georgetown Cybersecurity Law Institute
3
Privacy & Security Update Benefits from Self-Reporting Data Breaches to DOJ, FTC
![Page 4: June 16 2015 P&S Update Webinar](https://reader035.fdocuments.net/reader035/viewer/2022073113/587cd2321a28abfa018b7f41/html5/thumbnails/4.jpg)
FTC Statement (May 20, 2015):
An FTC data-breach or securityinvestigation asks:
Despite breaches or data security problems, were the company’s data security practices,
including its response,on balance, reasonable?
4
Privacy & Security Update Benefits from Self-Reporting Data Breaches to DOJ, FTC
![Page 5: June 16 2015 P&S Update Webinar](https://reader035.fdocuments.net/reader035/viewer/2022073113/587cd2321a28abfa018b7f41/html5/thumbnails/5.jpg)
FTC Statement (May 20, 2015): If the FTC Comes to Call
Company’s response is an essential element of FTC’s inquiry• Help affected consumers• Cooperate with criminal, law-enforcement agencies against hackers
“In our eyes, a company that has reported a breach tothe appropriate law enforcers and cooperated with them
has taken an important step to reduce the harm from the breach.…
It’s likely we’d view that company more favorablythan a company that hasn’t cooperated.”
5
Privacy & Security Update Benefits from Self-Reporting Data Breaches to DOJ, FTC
![Page 6: June 16 2015 P&S Update Webinar](https://reader035.fdocuments.net/reader035/viewer/2022073113/587cd2321a28abfa018b7f41/html5/thumbnails/6.jpg)
FTC Statement (May 20, 2015): If the FTC Comes to Call
FTC data-security investigations are non-public
Can request information and documents, including from
• Consumers• Vendors and banks• Other companies• Employees
6
Privacy & Security Update Benefits from Self-Reporting Data Breaches to DOJ, FTC
![Page 7: June 16 2015 P&S Update Webinar](https://reader035.fdocuments.net/reader035/viewer/2022073113/587cd2321a28abfa018b7f41/html5/thumbnails/7.jpg)
FTC Statement (May 20, 2015): If the FTC Comes to Call• Information security plan
• Employee handbooks; training• Cost effectiveness of available defenses• Audits, risk assessments
• Privacy policies; security promises to consumers• Compliance v. policy
• Circumstances of breach• What happened• What protections were in place• What consumer harm is likely; any consumer complaints• How company responded
7
Privacy & Security Update Benefits from Self-Reporting Data Breaches to DOJ, FTC
![Page 8: June 16 2015 P&S Update Webinar](https://reader035.fdocuments.net/reader035/viewer/2022073113/587cd2321a28abfa018b7f41/html5/thumbnails/8.jpg)
Ass’t AG Caldwell Speech (May 20, 2015):
Joint Announcement of FTC Statement• General View: Hacked companies are victims
Recounts cooperative take-downs of attacks, capture of hackers• Private sector• DOJ, FBI, DHS, Secret Service, Dep’t of State, Foreign Law Enforcers
Cybersecurity Unit in CCIPS (Cyber Crime and Intellectual Property Section)• Self-reporters gain Unit’s expertise, forensic tools, legal authority for warrants
8
Privacy & Security Update Benefits from Self-Reporting Data Breaches to DOJ, FTC
![Page 9: June 16 2015 P&S Update Webinar](https://reader035.fdocuments.net/reader035/viewer/2022073113/587cd2321a28abfa018b7f41/html5/thumbnails/9.jpg)
9
Privacy & Security Update Operating Securely: Risk Management v. Firewalls
*NACD Cyber-Risk Oversight Handbook (2014) at 4. You can download a copy of the Handbook at the NACD website.
“One of the defining characteristics of these attacks is that they
can penetrate virtually all of a company’s perimeter defense
systems, such as firewalls or intrusion detection systems:
Intruders … exploit all layers of security vulnerabilities
until they achieve their goal.
In other words, if a sophisticated attacker targets a company’s
system, they will almost certainly breach them.”*
![Page 10: June 16 2015 P&S Update Webinar](https://reader035.fdocuments.net/reader035/viewer/2022073113/587cd2321a28abfa018b7f41/html5/thumbnails/10.jpg)
All risks are not the same;All data are not crown jewels.
10
Privacy & Security Update Operating Securely: Risk Management v. Firewalls
*Principle 5 is discussed on pp. 4 & 14 of the NACD Cyber-Risk Oversight Handbook. The NACD Handbook is expressly consistent with CKS guidance to avoid “siloed” thinking. See pp. 7, 13.
NACD Handbook Principle 5:
“Board-management discussion of cyber risk should include
identification of which risks to avoid, accept, mitigate, or
transfer through insurance as well as specific plans
associated with each approach.”*
![Page 11: June 16 2015 P&S Update Webinar](https://reader035.fdocuments.net/reader035/viewer/2022073113/587cd2321a28abfa018b7f41/html5/thumbnails/11.jpg)
DOJ White Paper, Best Practices for Victim Response and Reporting of Cyber Incidents
(Apr. 29, 2015).
NIST, Computer Incident Handling Guide, Special Publication 800-61 Rev. 2 (Aug. 2012).
NIST, Framework for Improving CriticalInfrastructure Cybersecurity (Feb. 12, 2014).
CSIS/DOJ Active Cyber Defense Experts Roundtable,Summary of Topics and Views (Mar. 10, 2015).
11
Privacy & Security Update Operating Securely: Risk Management v. Firewalls
![Page 12: June 16 2015 P&S Update Webinar](https://reader035.fdocuments.net/reader035/viewer/2022073113/587cd2321a28abfa018b7f41/html5/thumbnails/12.jpg)
12
Privacy & Security Update Operating Securely: Risk Management v. Firewalls
Have a Response Plan• Actionable: personnel, procedure, equipment• Identify and protect cyber assets• Collect, preserve data about incident• How to continue operations while responding to attack
Make contacts/relationships prior to breach with• Local FBI field office, DHS (NCCIC), state law enforcement• Consultants, lawyers
Do NOT “hack back”• Generally unlawful under U.S. statutes• Risks warfare with an unknown adversary• Unlikely to succeed
![Page 13: June 16 2015 P&S Update Webinar](https://reader035.fdocuments.net/reader035/viewer/2022073113/587cd2321a28abfa018b7f41/html5/thumbnails/13.jpg)
13
Privacy & Security Update Operating Securely: Risk Management v. Firewalls
ORDER OF CYBER-RISK MANAGEMENT DECISIONS
1. Data, assets, services meriting most protection
Who must have access
Under what conditions
2. Appropriate protections and limits for each rank
3. Test, review, learn, amend
Before and after next hack
![Page 14: June 16 2015 P&S Update Webinar](https://reader035.fdocuments.net/reader035/viewer/2022073113/587cd2321a28abfa018b7f41/html5/thumbnails/14.jpg)
ACLU v. Clapper (2d Cir. May 7, 2015)
Specific, relevant request required for government access
USA Freedom Act (June 2, 2015)
Metadata still collected
Held by companies not NSASpecific, relevant request required for government access
Independent amici at FISC, FISC-R
14
Privacy & Security Update USA Freedom Act and ACLU v. Clapper
![Page 15: June 16 2015 P&S Update Webinar](https://reader035.fdocuments.net/reader035/viewer/2022073113/587cd2321a28abfa018b7f41/html5/thumbnails/15.jpg)
Wise Agnostics
Will USA Freedom Act be effective?
Executive Order No. 12333
Director Clapper admittedly and demonstrably lied under oath to CongressMandated reports will not be under oath, just statutorily mandated
How long will Communication providers keep the data?
Where and under what conditions
Integrity matters
Data-wealthiest man of all history is now a data-begger
15
Privacy & Security Update USA Freedom Act and ACLU v. Clapper
![Page 16: June 16 2015 P&S Update Webinar](https://reader035.fdocuments.net/reader035/viewer/2022073113/587cd2321a28abfa018b7f41/html5/thumbnails/16.jpg)
MICHAEL R. GESKELeader, CKS Privacy & Security
GESKE COUNSEL, LLC202.904.1077
Washington, [email protected]