cybersecurity laws
play

CYBERSECURITY LAWS, REGULATIONS, AND POLICIES: FROM "BEST - PowerPoint PPT Presentation

Feb 15, 2023 •143 likes •400 views

OVERVIEW OF CYBERSECURITY LAWS, REGULATIONS, AND POLICIES: FROM "BEST PRACTICES" TO ACTUAL REQUIREMENTS DAVID THAW UNIVERSITY OF MARYLAND BEFORE WE BEGIN These slides are (deliberately) not comprehensive! Ask questions!

  1. OVERVIEW OF CYBERSECURITY LAWS, REGULATIONS, AND POLICIES: FROM "BEST PRACTICES" TO ACTUAL REQUIREMENTS DAVID THAW UNIVERSITY OF MARYLAND

  2. BEFORE WE BEGIN… • These slides are (deliberately) not comprehensive! • Ask questions! • No, really, ask questions! • There are no stupid questions. Only cybersecurity vulnerabilities (waiting to happen). • Far more of cybersecurity is about practices than we care to admit…

  3. OVERVIEW • Structure of U.S. Cybersecurity Law and Regulation • Public Law • Private Law • Why Focus on Private Law? • Private Law in the U.S. • Security Breach Notification • Industry-Specific Regulation • General Consumer Protection (FTC) • The Role of Criminal Law?

  4. THE U.S. LEGAL SYSTEM • A side note: three “categories” of regulating behavior of private actors: • Civil (contracts, torts) • Governs liability among private parties • Consequences are generally monetary • Criminal • Governs liability of individual persons to the state for “bad acts” • Consequences (“punishment”) involve loss of liberty • Regulatory • Governs liability of (usually) entities to the state for acts deemed not in the public interest • Consequences are financial and operational

  5. STRUCTURE OF U.S. CYBERSECURITY LAW • Public Law • Governs relationships between individuals/private entities and government agencies • “What government can/can’t do” • Private Law • Governs relationships between private parties (individuals and/or private entities) • “What private parties can/can’t do” • Why do these distinctions matter??

  6. PRIVATE LAW • Why focus on private law? • “Critical Infrastructure” mostly operated by private companies • Most of government uses private sector-built products • Who holds most of the data? • Hard to measure, but clearly tremendous amounts held in private hands • Private law (probably) reaches more entities in the information infrastructure • Posse Comitatus Act of 1878: no cybersecurity exception (yet!) • e.g., “we can only defend .mil!” • note: some exceptions (e.g., NSA “advising” Google) • Bottom Line: Private law (currently) “where the action is”

  7. CYBERSECURITY LAW: THE LANDSCAPE • Industry-Specific Regulation • HIPAA • GLBA • IRS Regulations • DoD Regulations (applicable to private contractors) • Security Breach Notification Laws • General Consumer Protection (Federal Trade Commission) • State “Data Security” Standards • SEC Disclosure Regulations

  8. INDUSTRY-SPECIFIC REGULATION • Nearly exclusively at the federal level • Historically focused on consumer protection in healthcare (HIPAA) and finance (GLBA) • Form of “Management - Based Regulatory Delegation” • Regulatory requirement primarily is: • (1) development of an information security plan; and • (2) adherence to that plan • But note: the plan must meet certain requirements (particularly with HIPAA)

  9. GRAMM-LEACH- BLILEY ACT (GLBA) • Gramm-Leach-Bliley Financial Modernization Act of 1999 • Two primary sets of regulations • Interagency Guidelines (Treasury Dep’t) • Safeguards Rule (Federal Trade Comm’n ) • Generally speaking, require organizations to develop information security plans to address: • (1) Administrative risks; • (2) Technical risks; and • (3) Physical risks • (only marginal additional detail provided) • Requirements Exist (and organizations are following them)… … but no major (Treasury Dep’t) enforcement actions yet???

  10. HIPAA SECURITY RULE • Health Insurance Portability and Accountability Act (HIPAA) • Requires the Department of Health and Human Services to promulgate regulations establishing information security standards for the handling of Protected Health Information (PHI) • “Security Rule” • Requires “Covered Entities” and their “Business Associates” to conduct risk assessments and develop plans and procedures to protect against: • (1) Administrative risks; • (2) Technical risks; and • (3) Physical risks • Plans/procedures must be appropriate to the size, scope and capability of the organization • Additional detail provided for each category • There has been some enforcement activity (through OCR)

  11. THINKING ABOUT HIPAA AND GLBA • Management-Based Regulatory Delegation • Key Point: (almost) everything is a “Business Risk Decision” • What does this mean cybersecurity more broadly? • How do we figure out what to protect and how to protect it? • Risk assessments are key • But, be wary of trying to “get away with” strict adherence: • “That’s a really bad plan!” • Unencrypted emails • SSNs or other PII as document passwords • Low-hanging fruit today vs. low-hanging fruit tomorrow • Again: What does this mean for cybersecurity more broadly?

  12. OTHER INDUSTRY SPECIFIC REGULATION • IRS Publication 1075: Tax Information Security Guidelines for Federal, State, and Local Agencies • Applies to contractors as well! • DoD Information Security Guidelines • They’ve got a few… • (most) apply to contractors as well • DoD relies more heavily on NIST publications… (more on this later)

  13. BREAK • 10 Minute Break!

  14. SECURITY BREACH NOTIFICATION LAWS • Require organizations to disclose certain types of security incidents involving the unauthorized access of “Personal Information” • Unless the information was “encrypted” • 46 states, the District of Columbia, Puerto Rico, and the U.S. Virgin Islands have such laws • Applicability is determined by the residence of the individuals described in the compromised data • Not by the location of the data • Not by the location of the entity experiencing the breach • What does “encrypted” mean? • We’re back to “that’s a really bad plan…” • Why not use NIST definitions?

  15. SBN “TRIGGERING” DATA Identifier Sensitive Personal Reportable Information Breach (usually name) Three Common Types of Sensitive Personal Information: • Social Security Number • Payment Card/Account Number* • Gov’t -Issued ID Number* But: exception for “encrypted” data!

  16. CISO QUOTES: EFFECTS OF SBN S SBNs drive encryption policies: • “. . . [SBNs] caused us to . . . in a very short period of time, encrypt 40,000 laptops . . .” (CISO of a large healthcare organization) • “. . . What we have done is all computers now have to be encrypted.” (CISO of a large telecommunications company) • “So what’s happened since the Notification Laws have become sort of ubiquitous in the last three years [is] the security investment is moved, essentially to crypto. If it moves, encrypt it. It if stays there, encrypt it. There’s not much reflection on whether or not actually anyone ever uses that data. It’s still a breach.” (CISO of a large healthcare organization)

  17. SBN EFFECTIVENESS: 2000-2010 (HEALTHCARE/FINANCE)

  18. SBN EFFECTIVENESS: 2000-2010 (ALL OTHER INDUSTRIAL SECTORS)

  19. THE FEDERAL TRADE COMMISSION • Wait, the Federal Trade Commission? I thought we were talking about Cybersecurity? • 15 U.S.C. § 45 – “unfair or deceptive acts or practices” • Insufficient information security practices are an “unfair and deceptive” trade practice • To date, no Commission Enforcement Action has resulted in anything other than a settlement! • Nature of settlements: • Agreement to 20 years of biennial information security audits • (Possible) restitution to affected consumers • Agreement to discontinue the (allegedly) offending practice

  20. THE FEDERAL TRADE COMMISSION • Example (allegedly) offending practices: • Installing software to “track” consumers’ activities that captures sensitive authentication information ( Upromise , Sears ) • Failing to employ and require of customers secure authentication practices ( ACRANet, SettlementOne, ChoicePoint ) • Storing sensitive information/PII in cleartext in otherwise- vulnerbable locations ( Ceridian, James B. Nutter, TJX • Improper document disposal procedures ( Gregory Navone, CVS CareMark ) • SQL injection vulnerabilities ( Ceridian, Compgeeks.com ) • Unsecured Wireless Networks ( TJX, DSW, BJ’s Wholesale) • Failure to employ network security technologies including IDS/IPS and DLP ( Dave & Buster’s , TJX )

  21. FTC ENFORCEMENT • When the Commission settles an Enforcement Action, it de facto establishes an information security standard • Yet we have so many “repeat offenders” – why? • Breadth of Commission enforcement authority • Focus on consumer protection • There’s enough low - hanging fruit out there… “reasonableness” is the key • Nearly all the Actions to date resulted from absurdly inadequate practices

  22. OTHER REGULATIONS • State Data Security Standards • MA Data Security Standards (comprehensive) • CA, NV (limited) • Data disposal statutes (several states; specific in scope) • SEC Disclosure Guidelines • “Registrants should disclose the risk of cyber incidents if these issues are among the most significant factors that make an investment in the company speculative or risky.” • http://www.sec.gov/divisions/corpfin/guidance/cfguidance- topic2.htm#_edn4

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

U.S. National U.S. National Why are we talking about Cybersecurity Cybersecurity

U.S. National U.S. National Why are we talking about Cybersecurity Cybersecurity

U.S. National U.S. National Why are we talking about Cybersecurity Cybersecurity cybersecurity? William J. Perry Martin Casado Keith Coleman Dan Wendlandt MS&E 91SI Spring 2004 Stanford University U.S. National Cybersecurity

79 views • 7 slides
LEGISLATION PAM GREENBERG, NCSL | NASS 2019 SUMMER CONFERENCE | JULY 2019 STATE CYBERSECURITY

LEGISLATION PAM GREENBERG, NCSL | NASS 2019 SUMMER CONFERENCE | JULY 2019 STATE CYBERSECURITY

OVERVIEW OF STATE CYBERSECURITY LAWS & LEGISLATION PAM GREENBERG, NCSL | NASS 2019 SUMMER CONFERENCE | JULY 2019 STATE CYBERSECURITY LAWS & LEGISLATION ABOUT NCSL Serves 7,383 legislators and 25,000 legislative staff. Provides

462 views • 17 slides
Presented by: Islanders Bank Cybersecurity Awareness Cybersecurity Awareness Objectives:

Presented by: Islanders Bank Cybersecurity Awareness Cybersecurity Awareness Objectives:

Presented by: Islanders Bank Cybersecurity Awareness Cybersecurity Awareness Objectives: Define Cybersecurity & why its important Provide information about Dept. Homeland Security Cybersecurity Campaigns: National

328 views • 22 slides
Cybersecurity A presentation to the National Association of Black Accountants Cleveland

Cybersecurity A presentation to the National Association of Black Accountants Cleveland

Cybersecurity A presentation to the National Association of Black Accountants Cleveland Chapter Contents Cybersecurity and risk management 1 Cybersecurity and the regulatory 2 environment Cybersecurity and the audit 3 4 Appendix

685 views • 37 slides
KACo Cybersecurity Training KACo Cybersecurity Training Cybersecurity Threats Phishing

KACo Cybersecurity Training KACo Cybersecurity Training Cybersecurity Threats Phishing

7/17/2020 KACo Cybersecurity Training KACo Cybersecurity Training Cybersecurity Threats Phishing Attacks Malware/Ransomware Hacking Imposter Scams 1 7/17/2020 KACo Cybersecurity Training BEWARE OF Phishing Phishing attacks

248 views • 6 slides
Formal Methods and CyberSecurity James Davenport University of Bath Former Fulbright

Formal Methods and CyberSecurity James Davenport University of Bath Former Fulbright

Formal Methods and CyberSecurity James Davenport University of Bath Former Fulbright CyberSecurity Scholar 4 September 2019 James Davenport Formal Methods and CyberSecurity CyberSecurity CyberSecurity failures abound: tens daily in the

212 views • 19 slides
Formal Methods and CyberSecurity James Davenport University of Bath Former Fulbright

Formal Methods and CyberSecurity James Davenport University of Bath Former Fulbright

Formal Methods and CyberSecurity James Davenport University of Bath Former Fulbright CyberSecurity Scholar 4 September 2018 James Davenport Formal Methods and CyberSecurity CyberSecurity CyberSecurity failures abound: tens daily in the

325 views • 18 slides
ITU Mandate and Activities ITU Mandate and Activities Related to Cybersecurity Cybersecurity

ITU Mandate and Activities ITU Mandate and Activities Related to Cybersecurity Cybersecurity

ITU Mandate and Activities ITU Mandate and Activities Related to Cybersecurity Cybersecurity Related to Subregional Seminar on Cybersecurity for Information and Communication Networks 21 June 2005 Lima, Peru Christine Sund Christine Sund

921 views • 48 slides
Extractive Laws in Africa: What is the state of these laws? Why are our laws a problem? Why and on

Extractive Laws in Africa: What is the state of these laws? Why are our laws a problem? Why and on

Extractive Laws in Africa: What is the state of these laws? Why are our laws a problem? Why and on what should we call for reforms? Yao Graham s speaking notes at 2018 Alternative Mining Indaba 1. Greetings to all. Gratitude to organisers for

605 views • 6 slides
Being Strategic about Cybersecurity Regional Cybersecurity Forum, 29-30 Nov 2016, Grand Hotel

Being Strategic about Cybersecurity Regional Cybersecurity Forum, 29-30 Nov 2016, Grand Hotel

Being Strategic about Cybersecurity Regional Cybersecurity Forum, 29-30 Nov 2016, Grand Hotel Sofia, Bulgaria Mr. Joaqun Castelln , Operational Director Spanish National Security Department Ms. Anita TIKOS , Desk Officer for International

197 views • 15 slides
EU in action about cybersecurity NIS Directive 5G Cybersecurity Act GDPR Contractual ISACs

EU in action about cybersecurity NIS Directive 5G Cybersecurity Act GDPR Contractual ISACs

EU Cybersecurity European policy overview e-IRG e-IRG 4 December 2019 Brussels Anni Hellman, Senior Expert, Permanent Representation of Finland to the European Union Seconded for the Finnish Presidency from the Directorate General

320 views • 28 slides
MAYASEVENs Hacking Diary Who are we? Nop Phoomthaisong MAYASEVEN Team Cybersecurity

MAYASEVENs Hacking Diary Who are we? Nop Phoomthaisong MAYASEVEN Team Cybersecurity

MAYASEVENs Hacking Diary Who are we? Nop Phoomthaisong MAYASEVEN Team Cybersecurity Consultants, The Cybersecurity Expert Guys Cybersecurity Researcher 2 Agenda 1. Account Takeover via Forgot Password Function 2. Amazon S3

2.36k views • 75 slides
INTRODUCTION Institute 12/10/2018 1 OBJECTIVES Current cybersecurity statistics and

INTRODUCTION Institute 12/10/2018 1 OBJECTIVES Current cybersecurity statistics and

Section 1 Dr. Bruce Burton California Cybersecurity INTRODUCTION Institute 12/10/2018 1 OBJECTIVES Current cybersecurity statistics and implications Learn from past attacks Understand the NIST Cybersecurity Framework (CSF) &

368 views • 33 slides
Cybersecurity Today CYBERSECURITY IN TODAYS WORLD Cyberattacks in Wyoming Medical

Cybersecurity Today CYBERSECURITY IN TODAYS WORLD Cyberattacks in Wyoming Medical

Cybersecurity Today CYBERSECURITY IN TODAYS WORLD Cyberattacks in Wyoming Medical Facilities Local Government Schools Law Enforcement Media Outlets The threat and how to think about it Ransomware has rapidly emerged as the most

398 views • 15 slides
Cybersecurity and the AICPA Cybersecurity Attestation Project Chris Halterman Executive

Cybersecurity and the AICPA Cybersecurity Attestation Project Chris Halterman Executive

Cybersecurity and the AICPA Cybersecurity Attestation Project Chris Halterman Executive Director EY Chair AICPA Trust Information Integrity Task Force Agenda Item 8-D IAASB Meeting, September 21-25, 2015 New York, USA Page 1 Increasing

444 views • 17 slides
CYBERSECURITY Situational awareness Franois Thill, Director Cybersecurity, Ministry of the

CYBERSECURITY Situational awareness Franois Thill, Director Cybersecurity, Ministry of the

CYBERSECURITY Situational awareness Franois Thill, Director Cybersecurity, Ministry of the economy Agenda The actual situation Strategy of the ministry Risk management a common language Some good practice examples 2 The

427 views • 21 slides
You Never Want to Go Back: The Promise of Health IT Journalism Workshop on Health

You Never Want to Go Back: The Promise of Health IT Journalism Workshop on Health

You Never Want to Go Back: The Promise of Health IT Journalism Workshop on Health Information Technology October 14, 2016 Dr. Vindell Washington, National Coordinator for Health IT My Journey to Health IT 2 HISTORY: Office of the

328 views • 13 slides
Supply Chain Sponsored By: The Digital Ecosystem How to Manage Cyber Effects on Your Supply

Supply Chain Sponsored By: The Digital Ecosystem How to Manage Cyber Effects on Your Supply

The Digital Ecosystem How to Manage Cyber Effects on Your Supply Chain Sponsored By: The Digital Ecosystem How to Manage Cyber Effects on Your Supply Chain Visit www.advisenltd.com at the end of this webinar to download: Copy of

538 views • 19 slides
DATA Classification State of Ohio Administrative Policy IT-13 Agenda Background

DATA Classification State of Ohio Administrative Policy IT-13 Agenda Background

DATA Classification State of Ohio Administrative Policy IT-13 Agenda Background Classification Elements Roles & Responsibilities Methodology Education & Awareness Compliance & Implementation Purpose The

290 views • 18 slides
Impact of Pharmacy Legislation on Changing Practice Virgil Van Dusen, RPh, JD Bernhardt

Impact of Pharmacy Legislation on Changing Practice Virgil Van Dusen, RPh, JD Bernhardt

Impact of Pharmacy Legislation on Changing Practice Virgil Van Dusen, RPh, JD Bernhardt Professor of Pharmacy Southwestern Oklahoma State University Weatherford, Oklahoma 5/26/2015 1 Change is the law of life. John F. Kennedy 5/26/2015 2

672 views • 44 slides
ENCRYPTIONS EVOLUTION IN TODAYS GDPR COMPLIANT WORLD Mark Christie, Senior Systems

ENCRYPTIONS EVOLUTION IN TODAYS GDPR COMPLIANT WORLD Mark Christie, Senior Systems

ENCRYPTIONS EVOLUTION IN TODAYS GDPR COMPLIANT WORLD Mark Christie, Senior Systems Engineer, StorMagic Kevin Mooney, Solutions Engineering Manager, Fornetix SIMPLIFYING STORAGE AT THE EDGE DATA SECURITY AT THE EDGE Top reasons for

478 views • 18 slides
Split Learning A resource efficient distributed deep learning method without sensitive data

Split Learning A resource efficient distributed deep learning method without sensitive data

Split Learning A resource efficient distributed deep learning method without sensitive data sharing Praneeth Vepakomma vepakom@mit.edu Invisible Health Image Data Small Data Small Data Small Data ML for Health

440 views • 39 slides
ELECTRONIC VISIT VERIFICATION Informational session for providers February 2018 1 Introductions

ELECTRONIC VISIT VERIFICATION Informational session for providers February 2018 1 Introductions

Med-QUEST presents: ELECTRONIC VISIT VERIFICATION Informational session for providers February 2018 1 Introductions Med-QUEST (MQD) staff VCC check-in 2 Agenda Overview of Federal mandate 21 st Century Cures Act Med-QUEST

270 views • 23 slides
Week 1 - Regulations and Ethics HCI4H - Winter 2019 Nadir Weibel, PhD Doing the right

Week 1 - Regulations and Ethics HCI4H - Winter 2019 Nadir Weibel, PhD Doing the right

Human Computer Interaction for Health Week 1 - Regulations and Ethics HCI4H - Winter 2019 Nadir Weibel, PhD Doing the right thing Real integrity is doing the right thing, knowing that nobodys going to know whether you did it

815 views • 50 slides

More recommend