internet law update 2008
play

Internet Law Update: 2008 William J. Cook June 27, 2008 Bill Cook - PowerPoint PPT Presentation

Sep 14, 2023 •269 likes •521 views

Internet Law Update: 2008 William J. Cook June 27, 2008 Bill Cook First 2008 Partner, Wildman Harrold, Chicago IMNA Board Chicago Member, Immediate Past President Intellectual Property, Internet Former Head of US DOJ and Web

  1. Internet Law Update: 2008 William J. Cook June 27, 2008

  2. Bill Cook First 2008 » Partner, Wildman Harrold, » Chicago IMNA Board Chicago Member, Immediate Past President » Intellectual Property, Internet » Former Head of US DOJ and Web law (Business Continuity and Security) Computer Crime Task Force; Counter-Espionage » Chambers 2008 Coordinator and Counter- » 90 trials Terrorist Coordinator; DOJ FEMA Coordinator » Expert presentations on (Chicago) Internet liability before U.S. House Judiciary Comm., » NRC Committee on Critical GAO, FCC Infrastructure Protection and the Law » Extensive experience representing retailers on PCI matters June 2008 W I L D M A N H A R R O L D | A T T O R N E Y S A N D C O U N S E L O R S

  3. 2008 Internet Law Update Summary First 2008 » Privacy drives security and corporate liability, but fails to provide relief to victims under case law » Organization liability for loss of databases: Michigan case and state law » Civil computer fraud must include damage and loss » PCI standards are being used successfully by banks, regulators and legislative groups to punish retailers – whether or not they are responsible » Insider threats continue to be the biggest danger- creating loss, regulatory exposure and proof issues » E-discovery is the greatest legal threat facing IT staff » EU compliance enforcement 5 to 6 years behind US courts June 2008 W I L D M A N H A R R O L D | A T T O R N E Y S A N D C O U N S E L O R S

  4. Nature of the Threat 2008 First 2008 » Credit card losses in 2007=$5.49 billion » Continued growth in Russian & Ukrainian organized crime activity for next 5 to 6 years (USSS) » Legitimate security technology companies failing in Russia due to employment by hostile technologies » $100,000 per day profit maximum due to handling issues » 4/08: Belgium company PCI compliant, but hacked for 4.2 million cards the same day » Advanced Persistent Threat » DOD talk for alleged dedicated Chinese state sponsored hacking » Initial focus on DOD facilities and contractors » Now focus said to be private corporations » Regulatory backlash June 2008 W I L D M A N H A R R O L D | A T T O R N E Y S A N D C O U N S E L O R S

  5. Scope of PCI First 2008 » Enforcement of PCI DS Standards across all related retail areas » Healthcare » Higher education » Utilities » State and Local Government » Insurance » Banking June 2008 W I L D M A N H A R R O L D | A T T O R N E Y S A N D C O U N S E L O R S

  6. Duty to Provide InfoSec First 2008 » Major trend driven by expansion of privacy law » Expanding across all industries » Not just financial and healthcare sectors » Impact on range of corporate deals » Applies to most corporate data » Not just personal data » Also financial, transactional, tax, confidential, etc. » It is all about protecting the stakeholders » Shareholders / investors, employees, customers and prospects, interests of regulatory agencies, unrelated third parties, national interests June 2008 W I L D M A N H A R R O L D | A T T O R N E Y S A N D C O U N S E L O R S

  7. Duty to Provide InfoSec First 2008 » Many sources, no single law or regulation » U.S. Federal laws and regulations » Electronic records generally – E-SIGN » Financial records – Sarbanes-Oxley » Tax records – IRS » Other records – SEC, FDA, HHS, etc. » Personal information » GLBA (financial industry) » HIPAA (healthcare records) » COPPA (children) » Safe Harbor (EU source data) » FTC Section 5 (all industries) June 2008 W I L D M A N H A R R O L D | A T T O R N E Y S A N D C O U N S E L O R S

  8. Duty to Provide InfoSec First 2008 » State laws and regulations » Electronic records generally – UETA » General security laws » Obligations to implement security » Data destruction laws » Other specific laws, e.g., EFT, insurance, etc. » Evidentiary requirements » e.g., AmEx case » Contractual commitments June 2008 W I L D M A N H A R R O L D | A T T O R N E Y S A N D C O U N S E L O R S

  9. Duty to Provide InfoSec » Tort law First 2008 » Bell v. Michigan Council – failure to provide security for employee data » In re Verizon – failure to apply patches » Negligent enablement » FTC and State AG enforcement actions » False representations and promises » Unfair business practices » International Laws » EU Data Protection Directive » EU country implementing laws and regulations » Argentina, Australia, Canada, Japan, and others June 2008 W I L D M A N H A R R O L D | A T T O R N E Y S A N D C O U N S E L O R S

  10. Duty to Provide InfoSec First 2008 » Because security is a legal obligation, what do you have to do? » Do you have to encrypt this data? » Are passwords sufficient or do you need a token? » Is it OK to allow Wi-Fi access? » A “legal” standard for “reasonable security” is developing in the U.S. » It is focused on a “process” rather than specific technical requirements June 2008 W I L D M A N H A R R O L D | A T T O R N E Y S A N D C O U N S E L O R S

  11. Satisfying the Legal Standard Depends on the Company’s Process First 2008 » Identify the assets to be protected » Both (i) under company control and (ii) outsourced » Conduct risk assessment » Identify and evaluate threats, vulnerabilities, and damages » Consider available options » Develop and implement a security program » That is responsive to the risk assessment » That addresses the required categories of controls » Address third parties » Continually monitor, reassess, and adjust » To ensure it is effective » To address new threats, vulnerabilities, and options June 2008 W I L D M A N H A R R O L D | A T T O R N E Y S A N D C O U N S E L O R S

  12. Executives & InfoSec » Who? First 2008 » Not just CIO and risk management functions » CEO, CFO, GC, Senior Management » Board of Directors » What? » Approve the security program » Oversee development, implementation, and maintenance of the security program » Require regular reporting June 2008 W I L D M A N H A R R O L D | A T T O R N E Y S A N D C O U N S E L O R S

  13. Duty to Disclose Security Breaches First 2008 » Duty to disclose security breaches to: » Those who may be affected/injured » Regulators, enforcement agencies, etc. » Obligation akin to “duty to warn” » Started in California in 2003, now 34 states impose some obligation » Laws differ, but all based on California model » Having a major PR impact June 2008 W I L D M A N H A R R O L D | A T T O R N E Y S A N D C O U N S E L O R S

  14. Breach Notification Legal Requirements » Covered information – “name” plus one of: First 2008 » SSN » Drivers license number » Financial account or credit card number » Other » Triggering event » Any breach of security, or » Breach with reasonable likelihood of harm » Obligation on breach » Notify persons whose information compromised » Notify state enforcement agencies – (some states) » Notify credit agencies – (some states) June 2008 W I L D M A N H A R R O L D | A T T O R N E Y S A N D C O U N S E L O R S

  15. Breach Notification Legal Requirements » Timing of the notice First 2008 » In the “most expedient time possible and without unreasonable delay” » Delay OK for law enforcement investigation or to take necessary measures to determine the scope of the breach and restore system integrity » Form of notice » In writing » Electronic form (but must comply with E-SIGN) » Substitute notice » Alt – follow company incident response plan » Penalties » State enforcement (e.g., A.G. office) » Some private right of action June 2008 W I L D M A N H A R R O L D | A T T O R N E Y S A N D C O U N S E L O R S

  16. Data Security Cases First 2008 » Former or Current Employees » Company officers » Vendors » Agents » Competitors June 2008 W I L D M A N H A R R O L D | A T T O R N E Y S A N D C O U N S E L O R S

  17. Employee Theft First 2008 » 49% of US companies had a data theft in 2007 (CM) » US companies lost 5%($625B) of annual revenues to employee fraud (ACFE) » 70% of employee theft is committed by employees with less than 30 days (Unicru Inc.) » Only 8% of internal fraud committed by someone with “a prior” » Average insider job takes place for 18 months before it’s identified (Bankers Ideanet) June 2008 W I L D M A N H A R R O L D | A T T O R N E Y S A N D C O U N S E L O R S

  18. Liability Created by Vendors » Theft from global telecommunications client’s First 2008 healthcare vendor included computers with personal data on the hard drives » Client’s employee database of health information, personal credit cards and other personal information missing » Actions taken: » HIPAA exposure identified » Potential employee legal action(s) identified » Vendor forced to meet ISO 17799 and corporate standards » Prepared and oversaw E&Y ISO 17799 security audit and evaluated compensating controls » Negotiated vendor contract changes and remediation » Rewrote security provisions for vendor contracts June 2008 W I L D M A N H A R R O L D | A T T O R N E Y S A N D C O U N S E L O R S

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

NRO update To be the flagship and global leader for collaborative Internet number resource

NRO update To be the flagship and global leader for collaborative Internet number resource

NRO update To be the flagship and global leader for collaborative Internet number resource management as a central element of an open, stable and secure Internet LACNIC 26, September 30th 2016 San Jose, Costa Rica Presentation Summary

474 views • 13 slides
Hospital Update May 2008 Index NSHA Update Our Best Care Update Huronia Hospitals

Hospital Update May 2008 Index NSHA Update Our Best Care Update Huronia Hospitals

Hospital Update May 2008 Index NSHA Update Our Best Care Update Huronia Hospitals Foundation 1 North Simcoe Hospital Alliance Highlights 07/08 Accomplishments Our Best Care campaign finalized implemented PYXIS safe

421 views • 11 slides
IP EuroNF Wrzburg July 21-22 2008 1 Network (R)Evolution Future Internet Interconnecting

IP EuroNF Wrzburg July 21-22 2008 1 Network (R)Evolution Future Internet Interconnecting

The Way 4WARD to a Creation of a Future Internet Henrik Abramowicz Ericsson Research EuroNF Wrzburg July 21-22 2008 Challenging the IP fortress - will this be successful ? IP EuroNF Wrzburg July 21-22 2008 1 Network (R)Evolution

223 views • 9 slides
Monitoring the NZ Internet with AMP WAND Update NZNOG 2014 The Active Measurement Project

Monitoring the NZ Internet with AMP WAND Update NZNOG 2014 The Active Measurement Project

Monitoring the NZ Internet with AMP WAND Update NZNOG 2014 The Active Measurement Project Monitor machines situated throughout the NZ Internet Participating NZ ISPs Universities Alongside name servers Monitors continually

1k views • 33 slides
Update from WIDE (APRICOT Keynote February 21, 2005) Jun Murai Topics Internet for non-PC

Update from WIDE (APRICOT Keynote February 21, 2005) Jun Murai Topics Internet for non-PC

Update from WIDE (APRICOT Keynote February 21, 2005) Jun Murai Topics Internet for non-PC and Mobility Video, Audio and Multicast Lambda Internet Latency Asia-Pacific Infrastructure Some of these are not restricted to

1.02k views • 48 slides
No Yes Do you use the Internet to do homework? Do you use the Internet to follow your

No Yes Do you use the Internet to do homework? Do you use the Internet to follow your

No Yes Do you use the Internet to do homework? Do you use the Internet to follow your favourite team? Do you use the internet to watch music videos? Do you use the Internet to read the news? Do you use the Internet to play games? Shared

997 views • 51 slides
NRO update To be the flagship and global leader for collaborative Internet number resource

NRO update To be the flagship and global leader for collaborative Internet number resource

NRO update To be the flagship and global leader for collaborative Internet number resource management as a central element of an open, stable and secure Internet LACNIC 27, Foz do Iguau, Brasil What is the NRO? Number Resource

283 views • 11 slides
Local Transport Act 2008 An Update for the West of England Partnership 12 th December 2008

Local Transport Act 2008 An Update for the West of England Partnership 12 th December 2008

Local Transport Act 2008 An Update for the West of England Partnership 12 th December 2008 www.gosw.gov.uk 0117 900 1700 contactus.gosw@go-regions.gsi.gov.uk Policy - an evolutionary process Transport Act 2000 / LTP1 LTP2

743 views • 15 slides
Ken Birman i Cornell University. CS5410 Fall 2008. Network Overlays Consider the Internet

Ken Birman i Cornell University. CS5410 Fall 2008. Network Overlays Consider the Internet

Ken Birman i Cornell University. CS5410 Fall 2008. Network Overlays Consider the Internet It creates the illusion of a fully connected n x n world of addressable endpoints dd bl d i t In reality, packets must route through a complex

1.01k views • 21 slides
Investors Presentation 16 October 2008 Erinvale AECI UPDATE AECI UPDATE Trading

Investors Presentation 16 October 2008 Erinvale AECI UPDATE AECI UPDATE Trading

Investors Presentation 16 October 2008 Erinvale AECI UPDATE AECI UPDATE Trading environment Melt-down of global financial markets causing risk re-evaluation M lt d f l b l fi i l k t i i k l ti and credit squeeze

470 views • 19 slides
Policy and Technology Drivers in Policy and Technology Drivers in the Internet of Things the

Policy and Technology Drivers in Policy and Technology Drivers in the Internet of Things the

Policy and Technology Drivers in Policy and Technology Drivers in the Internet of Things the Internet of Things Grald Santucci Head of Unit Networked enterprise & Radio Frequency Identification (RFID) Internet of Things 2008, Zurich

732 views • 28 slides
Offerings in the Internet and Social Media Age Update on Recent SEC Guidance and Other

Offerings in the Internet and Social Media Age Update on Recent SEC Guidance and Other

Presenting a live 90-minute webinar with interactive Q&A Redefining General Solicitation for Securities Offerings in the Internet and Social Media Age Update on Recent SEC Guidance and Other Developments TUESDAY, JANUARY 31, 2017 1pm

394 views • 20 slides
SIP Operation in the Public Internet An Update on What Makes Running SIP a Challenge and What it

SIP Operation in the Public Internet An Update on What Makes Running SIP a Challenge and What it

SIP Operation in the Public Internet An Update on What Makes Running SIP a Challenge and What it Takes To Deal With It Jiri Kuthan, iptel.org sip:jiri@iptel.org Outline Status update: where iptel.orgs operational experience comes from

579 views • 25 slides
Strategy Update Travis Perkins 19 th May 2008 1 Reminder - who we are, what we do John

Strategy Update Travis Perkins 19 th May 2008 1 Reminder - who we are, what we do John

Strategy Update Travis Perkins 19 th May 2008 1 Reminder - who we are, what we do John Carter 2 Market Update Paul Hampden Smith 3 Strategy Update Geoff Cooper 4 Multi Channel Strategy John Carter 5 Toolstation - Mark

827 views • 64 slides
Peer-to-Peer Networks The Internet 6th Week Albert-Ludwigs-Universitt Freiburg Department of

Peer-to-Peer Networks The Internet 6th Week Albert-Ludwigs-Universitt Freiburg Department of

Peer-to-Peer Networks The Internet 6th Week Albert-Ludwigs-Universitt Freiburg Department of Computer Science Computer Networks and Telematics Christian Schindelhauer Summer 2008 Montag, 9. Juni 2008 1 Peer-to-Peer Networks Internet 2

625 views • 23 slides
Nmap: Scanning the Internet by Fyodor Black Hat Briefings USA August 6, 2008; 10AM Defcon 16

Nmap: Scanning the Internet by Fyodor Black Hat Briefings USA August 6, 2008; 10AM Defcon 16

Insecure.Org Insecure.Org Nmap: Scanning the Internet by Fyodor Black Hat Briefings USA August 6, 2008; 10AM Defcon 16 August 8, 2008; 4PM Insecure.Org Insecure.Org Scan Goals Collect empirical data and use it to enhance Nmap

558 views • 45 slides
Chapter 6 Symbolic execution Course Model checking Volker Stolz, Martin Steffen Autumn

Chapter 6 Symbolic execution Course Model checking Volker Stolz, Martin Steffen Autumn

Chapter 6 Symbolic execution Course Model checking Volker Stolz, Martin Steffen Autumn 2019 Section Targets Chapter 6 Symbolic execution Course Model checking Volker Stolz, Martin Steffen Autumn 2019 Chapter 6 Learning

621 views • 47 slides
Conference Opening Remarks David Bradford Co-Founder & Chief Strategy Officer Advisen

Conference Opening Remarks David Bradford Co-Founder & Chief Strategy Officer Advisen

Welcome to Advisens Predictive Modeling Insights Conference Opening Remarks David Bradford Co-Founder & Chief Strategy Officer Advisen Thank you to our Sponsors! Keynote Address Richard Clarke Head of Insurance Advanced Analytics

1.15k views • 86 slides
www.drupaleurope.org Government TRACK SUPPORTED BY 17/3/2018 Developing for privacy and data

www.drupaleurope.org Government TRACK SUPPORTED BY 17/3/2018 Developing for privacy and data

www.drupaleurope.org Government TRACK SUPPORTED BY 17/3/2018 Developing for privacy and data protection Heather Burns Government track // @webdevlaw // not legal advice Heather Burns Tech policy and regulation specialist @webdevlaw What

1.31k views • 104 slides
IDoT: Why We Need an Identity Layer IoT Slam 2016 April 28, 2016 Marc-Anthony Signorino, IDESG

IDoT: Why We Need an Identity Layer IoT Slam 2016 April 28, 2016 Marc-Anthony Signorino, IDESG

IDoT: Why We Need an Identity Layer IoT Slam 2016 April 28, 2016 Marc-Anthony Signorino, IDESG Executive Director Welcome to the Identity Ecosystem The Identity Ecosystem Steering Group (IDESG) is the source of expertise, guidance, best

521 views • 30 slides
Input-Sensitive Profiling Emilio Coppa Camil Demetrescu Irene Finocchi June 11, 2012 PLDI 2012

Input-Sensitive Profiling Emilio Coppa Camil Demetrescu Irene Finocchi June 11, 2012 PLDI 2012

Intro RMS Case study Alg. Implem. Experiments Input-Sensitive Profiling Emilio Coppa Camil Demetrescu Irene Finocchi June 11, 2012 PLDI 2012 1 / 23 E. Coppa, C. Demetrescu, I. Finocchi Input-Sensitive Profiling, PLDI 2012 Intro RMS

999 views • 50 slides
OUTCOME-BASED EDUCATION Assoc. Prof. Ir. Dr. Hayati Abdullah PEng CEng CMarEng ASEAN Eng REEM M.

OUTCOME-BASED EDUCATION Assoc. Prof. Ir. Dr. Hayati Abdullah PEng CEng CMarEng ASEAN Eng REEM M.

OUTCOME-BASED EDUCATION Assoc. Prof. Ir. Dr. Hayati Abdullah PEng CEng CMarEng ASEAN Eng REEM M. AFEO FIMarEST FIEM MIEEE UTMLead The Outcome At the end of this module, participants are expected to be able to: Explain correctly the concept

513 views • 34 slides
Healthcare Privacy Privacy Policy Hospital Auditor Patient Patient Patient information

Healthcare Privacy Privacy Policy Hospital Auditor Patient Patient Patient information

Healthcare Privacy Privacy Policy Hospital Auditor Patient Patient Patient information information information Drug Company Patient Nurse Physician 2 20/02/15 PARCOMTECH, Bengaluru Why is it being formalized? A patient goes to

622 views • 45 slides
on IQA Professor Dr Roziah Mohd Janor Institute Quality and Knowledge Advancement Universiti

on IQA Professor Dr Roziah Mohd Janor Institute Quality and Knowledge Advancement Universiti

Impact of Flexible Education on IQA Professor Dr Roziah Mohd Janor Institute Quality and Knowledge Advancement Universiti Teknologi MARA, Malaysia roziahmj@salam.uitm.edu.my 21 st October 2016 Facets of Flexible Education Flexible in input

420 views • 28 slides

More recommend