[BreachExchange] Cyber Security

Audrey McNeil audrey at riskbasedsecurity.com
Mon May 23 19:39:04 EDT 2016


http://www.jdsupra.com/legalnews/cyber-security-71168/

Roughly one million pieces of malware—computer viruses or malicious
software—are released every day. In recent years, we’ve witnessed an
unprecedented level of activity in the cyber arena, both in the form of
increased cyber-attacks as well as corresponding legislative and regulatory
activity in response to those attacks. Hackers are faster, stealthier and
more creative, and laws and regulations are often changing to keep up with
such a fast paced and rapidly evolving environment. It can be difficult and
frustrating to fend off cyber-attacks while keeping track legal
obligations.

However, failure to do so can be costly—in 2014, the average cost of a data
breach in the U.S. was 6.5 million dollars. Understanding cybersecurity
threats and the legal landscape can save your company money and protect it
from future liability.

The Current Threat Environment

On average, threat actors spend over 200 days inside a network before
discovery. The problem is no longer just keeping the threat actor out, but
also identifying it once it is in the system.  In general, there are three
categories of threat actors:

Traditional hackers—those who hack for pecuniary gain. Traditional hackers
look for data they can quickly and easily sell on the dark web (e.g.,
payment card information, social security numbers, etc.);
Nation states—attacks known as Advanced Persistent Threat (APT attacks) for
espionage purposes or economic espionage (e.g., research and development to
develop a product more quickly); and
Hacktivists—those pursuing a loose ideological mission who commit
Distributed Denial of Services attacks (DDoS attacks) to bring down a
website. Generally, a hacktivist’s purpose is to embarrass the victim of
the attack. Instead, the U.S. takes an industry specific approach. For
example, the Gramm-Leach-Bliley Act regulates data security in the
financial sector, requiring financial institutions to disclose their
information-sharing practices with their customers and safeguard sensitive
data. Other examples include the Health Insurance Portability and

Threat actors launch attacks in several ways. In recent years, the most
frequent source of attacks has been through social engineering (e.g.,
phishing—an attempt to acquire sensitive information by masquerading as a
trustworthy entity in an electronic communication, or dropping a thumb
drive in a company’s parking lot, embossed with the company’s name, with
the hope that an employee finds the thumb drive, inserts it into his or her
computer and inadvertently downloads malware). Brute force attacks are also
common—automated software used to generate a large number of consecutive
guesses (by trial and error) to obtain a password.

Understanding how and why threat actors operate can help your business
reduce the number of successful attacks. However, once a threat actor is in
your system, understanding the legal implications will help protect your
business from future liability.

 Legal Landscape

The U.S. does not have comprehensive data security legislation. Instead,
the U.S. takes an industry specific approach. For example, the
Gramm-Leach-Bliley Act regulates data security in the financial sector,
requiring financial institutions to disclose their information-sharing
practices with their customers and safeguard sensitive data. Other examples
include the Health Insurance Portability and Accountability Act (HIPAA) and
the Heath Information Technology for Economic and Clinical Health (HITECH),
which regulate data security in the health sector. The Federal Government
often uses section 5 of the FTC Act, which prohibits unfair or deceptive
practices in or affecting commerce, to investigate and prosecute companies
with inadequate data security procedures.

States also regulate cybersecurity. One example of state regulation is
breach notification laws, which are often the most effective at forcing
companies to focus on data security. 47 states, the District of Columbia,
Guam, Puerto Rico and the Virgin Islands require private or governmental
entities to notify individuals of security breaches of information
involving personally identifiable information. Who is exempt from breach
notification, how personally identifiable information is defined, or what
constitutes a breach vary from state to state.

Also important to safeguarding your business from violating data security
legislation are industry standards such as the Payment Card Industry (PCI)
Data Security Standard, which applies to those businesses that accept major
credit cards, and the National Institute of Standards and Technology (NIST)
Cybersecurity Framework, which provides a roadmap for managing
cybersecurity incidents.

Recent Developments

The Cyber Security Act of 2015 (the “Act”), which is designed to strengthen
private and public sector cyber security, protects companies from civil
liability and regulatory action for monitoring and sharing (through a
Department of Homeland Security web portal) threat indicators and defensive
measures with other businesses and/or the Federal Government. The Federal
Government’s use of such information is limited to investigating and
prosecuting cyber and espionage crimes, preventing seriously bodily injury,
terrorist attacks, serious economic harm, and threats to children.

What does this mean for your company? The Act authorizes companies to
monitor information systems for cyber security purposes and share (and
receive) cyber threat indicators and defensive measures with other private
entities and/or the Federal Government—and receive protection from
liability for deploying such measures. The Act reduces legal uncertainty
associated with federal and state privacy laws regarding network
protection/monitoring activities.

Companies looking to implement network monitoring activities should keep a
clear record of its compliance with the Act to ensure the benefits of
liability protection.

As is often the case with cyber security legislation, privacy concerns
serve as barriers to passing effective legislation. The Act addresses
privacy concerns by requiring the Federal Government, prior to sharing
threat indicators, to review those indicators and assess whether the
information contains personal information about a specific individual, and
remove that information if it is not directly related to a cyber threat. In
addition, the Federal Government must notify any U.S. person whose personal
data is shared, to the extent that such sharing violates the Act. The
requirement to review, assess, and remove personal information of a
specific individual applies to private entities as well (but note that
private entities do not have a duty to notify U.S. persons whose personal
information is shared in violation of the Act).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160523/5b2ef7e6/attachment.html>


More information about the BreachExchange mailing list