Shawn Tuma, profile picture
Uploaded byShawn Tuma
PPTX, PDF335 views

Contracting for Better Cybersecurity

The document discusses best practices for managing cybersecurity and data privacy risks from third party vendors. It recommends (1) conducting due diligence on third parties' security practices before engaging them, (2) using contracts to obligate third parties to comply with security standards and notify clients of incidents, and (3) periodically assessing third parties' security based on risk. Following these practices can help companies minimize risks from third parties as required by laws and frameworks.

Law

Embed presentation

Downloaded 16 times
Shawn E. Tuma Cybersecurity & Data Privacy Attorney Scheef & Stone, LLP Shawn.Tuma@solidcounsel.com Contracting for Better Cybersecurity
A smart man learns from his mistakes. A wise man learns from the mistakes of others. A fool never learns.
Cybersecurity is no longer just an IT issue— it is an overall business risk issue.
Security and IT protect companies’ data; Legal protects companies from their data.
Laws and regulations  Types  Security  Privacy  Unauthorized Access  International Laws  Privacy Shield  GDPR  Federal Laws & Regs.  HIPAA, GLBA, FERPA  FTC, SEC, FCC, HHS  State Laws  48 states (AL & SD)  NYDFS & Colorado FinServ  Industry Groups  PCI, FINRA  Contracts  3rd Party Bus. Assoc.  Data Security Addendum
Laws and regulations  Types  Security  Privacy  Unauthorized Access  International Laws  Privacy Shield  GDPR  Federal Laws & Regs.  HIPAA, GLBA, FERPA  FTC, SEC, FCC, HHS  State Laws  48 states (AL & SD)  NYDFS & Colorado FinServ  Industry Groups  PCI, FINRA  Contracts  3rd Party Bus. Assoc.  Data Security Addendum
1. Risk assessment. 2. Policies and procedures focused on cybersecurity. • Social engineering, password, security questions 3. Training of all workforce on P&P, then security. 4. Phish all workforce (esp. leadership). 5. Multi-factor authentication. 6. Signature based antivirus and malware detection. 7. Internal controls / access controls. 8. No outdated or unsupported software. 9. Security patch updates management policy. 10. Backups segmented offline, cloud, redundant. 11. Incident response plan. 12. Encrypt sensitive and air-gap hypersensitive data. 13. Adequate logging and retention. 14. Third-party security risk management program. 15. Firewall, intrusion detection and prevention systems. 16. Managed services provider (MSP) or managed security services provider (MSSP). 17. Cyber risk insurance. Common Cybersecurity Best Practices
1. Risk assessment. 2. Policies and procedures focused on cybersecurity. • Social engineering, password, security questions 3. Training of all workforce on P&P, then security. 4. Phish all workforce (esp. leadership). 5. Multi-factor authentication. 6. Signature based antivirus and malware detection. 7. Internal controls / access controls. 8. No outdated or unsupported software. 9. Security patch updates management policy. 10. Backups segmented offline, cloud, redundant. 11. Incident response plan. 12. Encrypt sensitive and air-gap hypersensitive data. 13. Adequate logging and retention. 14. Third-party security risk management program. 15. Firewall, intrusion detection and prevention systems. 16. Managed services provider (MSP) or managed security services provider (MSSP). 17. Cyber risk insurance. Common Cybersecurity Best Practices
Ancient Cybersecurity Wisdom “Water shapes its course according to the nature of the ground over which it flows; the soldier works out his victory in relation to the foe whom he is facing.” “In all fighting the direct method may be used for joining battle, but indirect methods will be needed to secure victory.”
Lesson: Evaluate and audit third-parties’ security • In re GMR Transcription Svcs., Inc., Consent Order (Aug. 14, 2014). • FTC’s Order requires business to follow 3 steps when working with third-party service providers: 1. Investigate before hiring data service providers 2. Obligate data service providers to adhere to the appropriate level of data security protections 3. Verify that the data service providers are complying with obligations (contracts)
Lesson: Evaluate and audit third-parties’ security In January 2014, SEC indicates that the new standard of care for companies may require policies in place for: 1. Prevention, detection, and response to cyber attacks and data breaches, 2. IT training focused on security, and 3. Vendor access to company systems and vendor due diligence.
NIST Cybersecurity Framework (prop. ver. 1.1) • Adds “Supply Chain Risk Management (SCRM)” as a “Framework Core” function • Coordinate cybersecurity efforts with suppliers of IT and OT (operational technology) partners • Enact cybersecurity requirements through contracts; • Communicate how cybersecurity standards will be verified and validated; and • Verify cybersecurity standards are met.
Lesson: Know your contractual obligations • Addendum to business contracts • Common names: Data Security & Privacy Agreement; Data Privacy; Cybersecurity; Privacy; Information Security • Common features: • Defines subject “Data” / “Network” protected in categories • Establishes acceptable and prohibited uses for Data / Network • Establishes standards for protecting Data / Network (3rd / Nth) • Allocates obligations and responsibility for incident • Notice, roles, expenses • Requires binding third-parties to similar provisions
New York Department of Financial Services Cybersecurity (NYDFS) Requirements for Financial Services Companies + [fill in] • All NY “financial institutions” + third party service providers. • Third party service providers – examine, obligate, audit. • Establish Cybersecurity Program (w/ specifics): • Logging, Data Classification, IDS, IPS; • Pen Testing, Vulnerability Assessments, Risk Assessment; and • Encryption, Access Controls. • Adopt Cybersecurity Policies. • Designate qualified CISO to be responsible. • Adequate cybersecurity personnel and intelligence. • Personnel Policies & Procedures, Training, Written IRP. • Chairman or Senior Officer Certify Compliance.
Third Party Service Provider Security Policy Section 500.11 “Each Covered Entity shall implement written policies and procedures designed to ensure the security of Information Systems and Nonpublic Information that are accessible to, or held by, Third Party Service Providers.” • P&P should be based on CE’s Risk Assessment and address the following, as applicable: • The identification and risk assessment of TPSPs; • Minimum CP required by TPSP to do business with CE; • Due diligence process used to evaluate the adequacy of CP by such TPSP; • Periodic assessment of such TPSP based on risk they present and continued adequacy of their CP. • P&P shall include relevant guidelines for due diligence and/or contractual protections relating to TPSP and applicable guidelines addressing: • TPSP’s P&P for access controls and MFA to IS / NPI • TPSP’s P&P for use of encryption in transit and at rest; • Notice to be provided to CE for Cybersecurity Event; and • Reps and warranties addressing TPSP’s cybersecurity P&P NEW YORK DEPARTMENT OF FINANCIAL SERVICES CYBERSECURITY REGULATIONS
EU – General Data Protection Regulation (GDPR) • Goal: Protect all EU citizens from privacy and data breaches. • When: May 25, 2018. • Reach: Applies to all companies (controllers and processors): • Processing data of EU residents (regardless of where processing), • In the EU (regardless of where processing), or • Offering goods or services to EU citizens or monitoring behavior in EU. • Penalties: up to 4% global turnover or €20 Million (whichever is greater). • Remedies: data subjects have judicial remedies, right to damages. • Data subject rights: • Breach notification – 72 hrs to DPA; “without undue delay” to data subjects. • Right to access – provide confirmation of processing and electronic copy (free). • Data erasure – right to be forgotten, erase, cease dissemination or processing. • Data portability – receive previously provided data in common elect. format. • Privacy by design – include data protection from the onset of designing systems.
Third Party Processing and Risk Under the GDPR • Controller, individually or with other controllers (jointly and severally), is responsible to the data subjects. Art. 26 • Processor only process on controller’s instructions. Art. 29 • Using a risk assessment, the controller must implement appropriate technical and organizational safeguards (incl. P&P) to ensure personal data is processed lawfully. Reassessment and maturation is required. Art. 24(1) • Controller shall use only processors providing sufficient guarantees to implement appropriate technical and organizational measures to satisfy GDPR. Art. 28 • Processor must have controller’s written authorization to engage another sub-processor; • Processor must have binding contract with controller specifying particulars of processing; • Processor must be bound to confidentiality; • Processor must demonstrate compliance and agree to audits and inspections; • Nth processors liable to upstream processor, which is liable to the controller, which is ultimately liable. • Non-regulated controllers and processors can contractually agree to be bound. Art. 42 EUROPEAN UNION GENERAL DATA PROTECTION REGS.
Example Scenarios
“It’s not our fault!” • Private security firm’s job applicants’ personal data (including identification of those with Top Secret security clearances) is exposed on an unsecured Amazon server. • Firm says it wasn’t its fault, it was fault of its third-party vendor that we hired to process new job applications that left the data exposed. • Former CIA, NSA, Secret Service • Names, home addresses, telephone numbers, email addresses • Applicant transported nuclear activation codes • Applicant was “warden advisor” at Abu Ghraib black site • Who do you think is responsible? • Do you think a better contract would have helped? • What would have helped prevent this?
“We can’t afford it” • MegaCorp is a global leader in biotechnology and one of the world’s wealthiest companies. MegaCorp developed new highly confidential and proprietary bio-authentication technology that could solve the world’s cybersecurity problem by setting access rights to data based on users’ unique DNA. • MegaCorp recognizes the cyber threat and has state-of-the-art cybersecurity for its network, having a larger cybersecurity budget than the revenue of many biotech companies. • For testing to prove the technology works, MegaCorp turns to the 4 best biotech research facilities, known for the quality and integrity of their research, not their profitability. • MegaCorp’s contracts with the facilities requires they maintain security and confidentiality of its intellectual property (IP).
“We can’t afford it” (cont.) • During testing for MegaCorp, Research1 discovers an intrusion in its network. Due to budget limitations, its “IT guy” calls his buddy to do “forensics” and discover Research1’s network was being used to mine Bitcoin. They block the hacker and conclude “no problem.” • Two weeks later Research1 gets hit with ransomware and a demand for $100,000 paid in Bitcoin. IT guy was able to restore the network from backups so he sent a taunting email to the hacker, just for fun. He also ignored that lawyer who warns of possible persistent attack and said it may be a legal breach. • One week later the hacker emails Research1’s Board of Directors saying they have MegaCorp’s data, demand $1million which it can’t afford to pay.
Lessons from “We can’t afford it!” • Larger enterprises have a better appreciation of cyber risk and spend more resources on it. SMBs are not there … yet … still thinking, “we can’t afford it,” is justifiable. • Does the harm to MegaCorp’s IP change depending on whether taken from it or Research1? • MegaCorp would crush Research1 in a lawsuit … so what? • MegaCorp would have gladly paid the $1million ransom to try and protect its IP, even with no guarantee. • What contractual terms would have helped MegaCorp? • What practical discussions would have helped MegaCorp? • What risk transfer devices would have helped? • What technology would have helped?
Key Takeaways
Focus on basic principles • Two primary reasons for cybersecurity in contracting are to: • Minimize risk, including third-party risk; and • Determine the process and responsibility for incidents. • Risk can be reduced to two basic things: protecting – wherever and however – and responding to incidents concerning: • Networks • Data
Checklist: Using contracts to manage third-party risk Focus on objectives: protecting, responding, responsibility of data/network Staff appropriately Understand facts of relationship/transaction Understand risks by thinking worst case scenario from outset Minimalize risks: do not risk it if you do not have to Discuss objectives, facts, risks, protection with those responsible Assess third-party’s sophistication and commitment Agree upon appropriate protections Investigate ability to comply Obligate compliance, notification (to you), responsibility Include in incident response planning Cyber Insurance: transfer risk where possible
• Board of Directors & GeneralCounsel, Cyber Future Foundation • Board of Advisors, NorthTexas Cyber Forensics Lab • Policy Council, NationalTechnology Security Coalition • CybersecurityTask Force, IntelligentTransportation Society of America • Cybersecurity & Data Privacy LawTrailblazers, National Law Journal (2016) • SuperLawyersTop 100 Lawyers in Dallas (2016) • SuperLawyers 2015-16 (IP Litigation) • Best Lawyers in Dallas 2014-16, D Magazine (Digital Information Law) • Council, Computer &Technology Section, State Bar ofTexas • Privacy and Data Security Committee of the State Bar ofTexas • College of the State Bar ofTexas • Board of Directors, CollinCounty Bench Bar Conference • Past Chair,Civil Litigation &Appellate Section, CollinCounty Bar Association • Information Security Committee of the Section on Science &Technology Committee of the American BarAssociation • NorthTexas Crime Commission, Cybercrime Committee & Infragard (FBI) • InternationalAssociation of Privacy Professionals (IAPP) • Board of Advisors Office of CISO, Optiv Security Shawn Tuma Cybersecurity Partner Scheef & Stone, L.L.P. 214.472.2135 shawn.tuma@solidcounsel.com @shawnetuma blog: www.shawnetuma.com web: www.solidcounsel.com

More Related Content

PDF
Craft Your Cyber Incident Response Plan (Before It's Too Late)
byResilient Systems
 
PPTX
Cybersecurity Fundamentals for Legal Professionals (and every other business)
byShawn Tuma
 
PPTX
Cybersecurity Fundamentals for Legal Professionals
byShawn Tuma
 
PDF
Lifecycle: Responding to a Ransomware Attack - A Professional Breach Guide's ...
byShawn Tuma
 
PDF
The Legal Case for Cybersecurity - SecureWorld Dallas 2017 (Lunch Keynote)
byShawn Tuma
 
PDF
Laser App Conference 2017 - Sid Yenamandra, Entreda
byLaser App Software
 
PDF
Recovering from a Cyber Attack
byShawn Tuma
 
PPTX
Cybersecurity Fundamentals by Shaw E. Tuma
byKlemchuk LLP
 
Craft Your Cyber Incident Response Plan (Before It's Too Late)
byResilient Systems
 
Cybersecurity Fundamentals for Legal Professionals (and every other business)
byShawn Tuma
 
Cybersecurity Fundamentals for Legal Professionals
byShawn Tuma
 
Lifecycle: Responding to a Ransomware Attack - A Professional Breach Guide's ...
byShawn Tuma
 
The Legal Case for Cybersecurity - SecureWorld Dallas 2017 (Lunch Keynote)
byShawn Tuma
 
Laser App Conference 2017 - Sid Yenamandra, Entreda
byLaser App Software
 
Recovering from a Cyber Attack
byShawn Tuma
 
Cybersecurity Fundamentals by Shaw E. Tuma
byKlemchuk LLP
 

What's hot

PDF
Threat Hunting
bySplunk
 
PDF
Cybersecurity: Cyber Risk Management for Lawyers and Clients
byShawn Tuma
 
PDF
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...
byAPNIC
 
PPTX
How to assess and manage cyber risk
byStephen Cobb
 
PPTX
The Internal Signs of Compromise
byFireEye, Inc.
 
PDF
Hunting for cyber threats targeting weapon systems
byFidelis Cybersecurity
 
PDF
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...
byLancope, Inc.
 
PDF
Proactive incident response
byBrian Honan
 
PPTX
How to Recover from a Ransomware Disaster
bySpanning Cloud Apps
 
PDF
Building a Strategic Plan for Your Security Awareness Program
byPriyanka Aash
 
DOCX
SEC440: Incident Response Plan
byThomas Christopher Ty
 
PDF
NTXISSACSC1 Conference - Cybersecurity 2014 by Andrea Almeida
byNorth Texas Chapter of the ISSA
 
PDF
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
byShawn Tuma
 
PPTX
Netwatcher Credit Union Tech Talk
byNetWatcher
 
PPTX
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016
bycentralohioissa
 
PDF
Incident Response: How To Prepare
byResilient Systems
 
PPTX
Ntxissacsc5 purple 3-cyber insurance essentials-shawn_tuma.pptx
byNorth Texas Chapter of the ISSA
 
PDF
Ht t17
bySelectedPresentations
 
PPTX
Ransomware Has Evolved And So Should Your Company
byVeriato
 
PPTX
HOW TO PREPARE FOR AND RESPOND TO A RANDSOMWARE ATTACK [Webinar]
byStanton Viaduc
 
Threat Hunting
bySplunk
 
Cybersecurity: Cyber Risk Management for Lawyers and Clients
byShawn Tuma
 
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...
byAPNIC
 
How to assess and manage cyber risk
byStephen Cobb
 
The Internal Signs of Compromise
byFireEye, Inc.
 
Hunting for cyber threats targeting weapon systems
byFidelis Cybersecurity
 
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...
byLancope, Inc.
 
Proactive incident response
byBrian Honan
 
How to Recover from a Ransomware Disaster
bySpanning Cloud Apps
 
Building a Strategic Plan for Your Security Awareness Program
byPriyanka Aash
 
SEC440: Incident Response Plan
byThomas Christopher Ty
 
NTXISSACSC1 Conference - Cybersecurity 2014 by Andrea Almeida
byNorth Texas Chapter of the ISSA
 
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
byShawn Tuma
 
Netwatcher Credit Union Tech Talk
byNetWatcher
 
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016
bycentralohioissa
 
Incident Response: How To Prepare
byResilient Systems
 
Ntxissacsc5 purple 3-cyber insurance essentials-shawn_tuma.pptx
byNorth Texas Chapter of the ISSA
 
Ht t17
bySelectedPresentations
 
Ransomware Has Evolved And So Should Your Company
byVeriato
 
HOW TO PREPARE FOR AND RESPOND TO A RANDSOMWARE ATTACK [Webinar]
byStanton Viaduc
 

Similar to Contracting for Better Cybersecurity

PPTX
The Role of Contracts in Privacy, Cybersecurity, and Data Breach
byShawn Tuma
 
PDF
How to Approach the NYDFS Proposed Cybersecurity Requirements
byKyle Brown
 
PDF
General Data Protection Regulation and Compliance - GDPR: Sharique M Rizvi
bySharique Rizvi
 
PPTX
Cybersecurity Law and Risk Management
byKeelan Stewart
 
PDF
Legal Issues Associated with Third-Party Cyber Risk
byShawn Tuma
 
PDF
The Legal Case for Cybersecurity - SecureWorld Denver 2017 (Lunch Keynote)
byShawn Tuma
 
PDF
The Legal Case for Cybersecurity
byShawn Tuma
 
PDF
Why Your Organization Must Have a Cyber Risk Management Program and How to De...
byShawn Tuma
 
PDF
Cybersecurity solution-guide
byAdilsonSuende
 
PDF
Cybersecurity (and Privacy) Issues - Legal and Compliance Issues Everyone in ...
byShawn Tuma
 
PDF
Complying with Cybersecurity Regulations for IBM i Servers and Data
byPrecisely
 
PDF
Cybersecurity and Privacy for In-House Counsel: How the New Regulations and G...
byShawn Tuma
 
PPTX
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
bySirius
 
PDF
The Legal Case for Cyber Risk Management Programs and What They Should Include
byShawn Tuma
 
PDF
The Legal Case for Cyber Risk Management - InfoSec World Privacy & Risk Summit
byShawn Tuma
 
PPTX
Trust in the Cloud: Legal and Regulatory Framework
byFrancoise Gilbert
 
PDF
Cyber Security for Your Clients: Business Lawyers Advising Business Clients
byShawn Tuma
 
PDF
Effective cybersecurity for small and midsize businesses
byShawn Tuma
 
PDF
Cybersecurity: What the GC and CEO Need to Know
byShawn Tuma
 
PPTX
Data Security and Privacy by Contract: Hacking Us All Into Business Associate...
byShawn Tuma
 
The Role of Contracts in Privacy, Cybersecurity, and Data Breach
byShawn Tuma
 
How to Approach the NYDFS Proposed Cybersecurity Requirements
byKyle Brown
 
General Data Protection Regulation and Compliance - GDPR: Sharique M Rizvi
bySharique Rizvi
 
Cybersecurity Law and Risk Management
byKeelan Stewart
 
Legal Issues Associated with Third-Party Cyber Risk
byShawn Tuma
 
The Legal Case for Cybersecurity - SecureWorld Denver 2017 (Lunch Keynote)
byShawn Tuma
 
The Legal Case for Cybersecurity
byShawn Tuma
 
Why Your Organization Must Have a Cyber Risk Management Program and How to De...
byShawn Tuma
 
Cybersecurity solution-guide
byAdilsonSuende
 
Cybersecurity (and Privacy) Issues - Legal and Compliance Issues Everyone in ...
byShawn Tuma
 
Complying with Cybersecurity Regulations for IBM i Servers and Data
byPrecisely
 
Cybersecurity and Privacy for In-House Counsel: How the New Regulations and G...
byShawn Tuma
 
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
bySirius
 
The Legal Case for Cyber Risk Management Programs and What They Should Include
byShawn Tuma
 
The Legal Case for Cyber Risk Management - InfoSec World Privacy & Risk Summit
byShawn Tuma
 
Trust in the Cloud: Legal and Regulatory Framework
byFrancoise Gilbert
 
Cyber Security for Your Clients: Business Lawyers Advising Business Clients
byShawn Tuma
 
Effective cybersecurity for small and midsize businesses
byShawn Tuma
 
Cybersecurity: What the GC and CEO Need to Know
byShawn Tuma
 
Data Security and Privacy by Contract: Hacking Us All Into Business Associate...
byShawn Tuma
 

More from Shawn Tuma

PDF
Cybersecurity: Cyber Risk Management for Banks & Financial Institutions
byShawn Tuma
 
PPTX
NYDFS Cybersecurity Regulations - 23 NYCRR Part 500
byShawn Tuma
 
PDF
Cybersecurity: How to Protect Your Firm from a Cyber Attack
byShawn Tuma
 
PPTX
"What Could Go Wrong?" - We're Glad You Asked!
byShawn Tuma
 
PDF
Incident Response Planning - Lifecycle of Responding to a Ransomware Attack
byShawn Tuma
 
PDF
Cybersecurity is a Team Sport (SecureWorld - Dallas 2018)
byShawn Tuma
 
PDF
Reimagine Your Company Operating Again After a Ransomware Attack -- The Lifec...
byShawn Tuma
 
PDF
The Dark Side of Digital Engagement
byShawn Tuma
 
PDF
Cyber Hygiene Checklist
byShawn Tuma
 
PDF
Cyber Incident Response Checklist
byShawn Tuma
 
PDF
The Legal Case for Cybersecurity: Implementing and Maturing a Cyber Risk Mana...
byShawn Tuma
 
PDF
The Legal Case for Cyber Risk Management Programs and What They Should Include
byShawn Tuma
 
PPT
Something is Phishy: Cyber Scams and How to Avoid Them
byShawn Tuma
 
PPTX
#CyberAvengers - Artificial Intelligence in the Legal and Regulatory Realm
byShawn Tuma
 
PDF
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
byShawn Tuma
 
PDF
Lawyers' Ethical Obligations for Cybersecurity
byShawn Tuma
 
PDF
Cybersecurity Update
byShawn Tuma
 
PDF
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
byShawn Tuma
 
PDF
Real World Cyber Risk. Understand it. Manage it.
byShawn Tuma
 
PPTX
The Essentials of Cyber Insurance: A Panel of Industry Experts
byShawn Tuma
 
Cybersecurity: Cyber Risk Management for Banks & Financial Institutions
byShawn Tuma
 
NYDFS Cybersecurity Regulations - 23 NYCRR Part 500
byShawn Tuma
 
Cybersecurity: How to Protect Your Firm from a Cyber Attack
byShawn Tuma
 
"What Could Go Wrong?" - We're Glad You Asked!
byShawn Tuma
 
Incident Response Planning - Lifecycle of Responding to a Ransomware Attack
byShawn Tuma
 
Cybersecurity is a Team Sport (SecureWorld - Dallas 2018)
byShawn Tuma
 
Reimagine Your Company Operating Again After a Ransomware Attack -- The Lifec...
byShawn Tuma
 
The Dark Side of Digital Engagement
byShawn Tuma
 
Cyber Hygiene Checklist
byShawn Tuma
 
Cyber Incident Response Checklist
byShawn Tuma
 
The Legal Case for Cybersecurity: Implementing and Maturing a Cyber Risk Mana...
byShawn Tuma
 
The Legal Case for Cyber Risk Management Programs and What They Should Include
byShawn Tuma
 
Something is Phishy: Cyber Scams and How to Avoid Them
byShawn Tuma
 
#CyberAvengers - Artificial Intelligence in the Legal and Regulatory Realm
byShawn Tuma
 
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
byShawn Tuma
 
Lawyers' Ethical Obligations for Cybersecurity
byShawn Tuma
 
Cybersecurity Update
byShawn Tuma
 
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
byShawn Tuma
 
Real World Cyber Risk. Understand it. Manage it.
byShawn Tuma
 
The Essentials of Cyber Insurance: A Panel of Industry Experts
byShawn Tuma
 

Recently uploaded

PPTX
Business_Law_introduction_semester_1_2024.pptx
byhodixa6147
 
PPTX
Unlocking Success: Account-Based Marketing for the Legal Industry
byLawyers Email Data
 
PDF
David Davis Lawyer - A Seasoned Manitoba Lawyer
byDavid Davis Lawyer
 
PDF
Work Visa lawyer Chicago|Hussain, Binders & Liston LLC.pdf
byHussain, Binders & Liston LLC
 
PDF
Tehseen-S.-Poonawala-vs.-Union-of-India-1.pdf
bysabranghindi
 
PPTX
EXPERT OPINION, HARSH BHAGAT, ROLL NO 16, SEMESTER 9(2024-2025),BSA 2023, ALC...
bytheharshbhagat
 
PPT
524363670-MILITARY-JUSTICe systemsss.ppt
byPaulBarrios14
 
PPTX
IP in the Entertainment Industry by Altacit Global
byAltacit Global
 
PPTX
Cryptocurrency and Digital Assets by Altacit Global
byAltacit Global
 
PDF
navdeep-mathur-v-state-of-gujarat-635079-1.pdf
bysabranghindi
 
PPTX
Legal Challenges in Cross-Border E-commerce
byAltacit Global
 
PPTX
LABOUR LAW 1 - Unit 1 notes - LLB Degree Course
byMUTHUKUMARC24
 
PPTX
Fundamental_Rights_Presentation-to present.pptx
bysameena232004
 
PPTX
Digital India Bill by Altacit Global.pptx
byAltacit Global
 
PPTX
Union Budget 2015 Highlights Presentation
bycapratikshah0607
 
PPTX
Carcinogenesis theory-1.pptxebsbdbdbdbbb
byarnabpratihary65
 
PPTX
Corporate Governance and Compliance in India
byAltacit Global
 
PPTX
IP and Fashion Industry by Altacit Global.pptx
byAltacit Global
 
PPTX
Anticipation on Patents Act by Altacit Global
byAltacit Global
 
PDF
display-634856.pdf The Bench of Justices Vikram Nath and Sandeep Mehta
bysabranghindi
 
Business_Law_introduction_semester_1_2024.pptx
byhodixa6147
 
Unlocking Success: Account-Based Marketing for the Legal Industry
byLawyers Email Data
 
David Davis Lawyer - A Seasoned Manitoba Lawyer
byDavid Davis Lawyer
 
Work Visa lawyer Chicago|Hussain, Binders & Liston LLC.pdf
byHussain, Binders & Liston LLC
 
Tehseen-S.-Poonawala-vs.-Union-of-India-1.pdf
bysabranghindi
 
EXPERT OPINION, HARSH BHAGAT, ROLL NO 16, SEMESTER 9(2024-2025),BSA 2023, ALC...
bytheharshbhagat
 
524363670-MILITARY-JUSTICe systemsss.ppt
byPaulBarrios14
 
IP in the Entertainment Industry by Altacit Global
byAltacit Global
 
Cryptocurrency and Digital Assets by Altacit Global
byAltacit Global
 
navdeep-mathur-v-state-of-gujarat-635079-1.pdf
bysabranghindi
 
Legal Challenges in Cross-Border E-commerce
byAltacit Global
 
LABOUR LAW 1 - Unit 1 notes - LLB Degree Course
byMUTHUKUMARC24
 
Fundamental_Rights_Presentation-to present.pptx
bysameena232004
 
Digital India Bill by Altacit Global.pptx
byAltacit Global
 
Union Budget 2015 Highlights Presentation
bycapratikshah0607
 
Carcinogenesis theory-1.pptxebsbdbdbdbbb
byarnabpratihary65
 
Corporate Governance and Compliance in India
byAltacit Global
 
IP and Fashion Industry by Altacit Global.pptx
byAltacit Global
 
Anticipation on Patents Act by Altacit Global
byAltacit Global
 
display-634856.pdf The Bench of Justices Vikram Nath and Sandeep Mehta
bysabranghindi
 

Contracting for Better Cybersecurity

  • 1.
    Shawn E. Tuma Cybersecurity& Data Privacy Attorney Scheef & Stone, LLP Shawn.Tuma@solidcounsel.com Contracting for Better Cybersecurity
  • 2.
    A smart manlearns from his mistakes. A wise man learns from the mistakes of others. A fool never learns.
  • 3.
    Cybersecurity is nolonger just an IT issue— it is an overall business risk issue.
  • 4.
    Security and ITprotect companies’ data; Legal protects companies from their data.
  • 5.
    Laws and regulations Types  Security  Privacy  Unauthorized Access  International Laws  Privacy Shield  GDPR  Federal Laws & Regs.  HIPAA, GLBA, FERPA  FTC, SEC, FCC, HHS  State Laws  48 states (AL & SD)  NYDFS & Colorado FinServ  Industry Groups  PCI, FINRA  Contracts  3rd Party Bus. Assoc.  Data Security Addendum
  • 6.
    Laws and regulations Types  Security  Privacy  Unauthorized Access  International Laws  Privacy Shield  GDPR  Federal Laws & Regs.  HIPAA, GLBA, FERPA  FTC, SEC, FCC, HHS  State Laws  48 states (AL & SD)  NYDFS & Colorado FinServ  Industry Groups  PCI, FINRA  Contracts  3rd Party Bus. Assoc.  Data Security Addendum
  • 7.
    1. Risk assessment. 2.Policies and procedures focused on cybersecurity. • Social engineering, password, security questions 3. Training of all workforce on P&P, then security. 4. Phish all workforce (esp. leadership). 5. Multi-factor authentication. 6. Signature based antivirus and malware detection. 7. Internal controls / access controls. 8. No outdated or unsupported software. 9. Security patch updates management policy. 10. Backups segmented offline, cloud, redundant. 11. Incident response plan. 12. Encrypt sensitive and air-gap hypersensitive data. 13. Adequate logging and retention. 14. Third-party security risk management program. 15. Firewall, intrusion detection and prevention systems. 16. Managed services provider (MSP) or managed security services provider (MSSP). 17. Cyber risk insurance. Common Cybersecurity Best Practices
  • 8.
    1. Risk assessment. 2.Policies and procedures focused on cybersecurity. • Social engineering, password, security questions 3. Training of all workforce on P&P, then security. 4. Phish all workforce (esp. leadership). 5. Multi-factor authentication. 6. Signature based antivirus and malware detection. 7. Internal controls / access controls. 8. No outdated or unsupported software. 9. Security patch updates management policy. 10. Backups segmented offline, cloud, redundant. 11. Incident response plan. 12. Encrypt sensitive and air-gap hypersensitive data. 13. Adequate logging and retention. 14. Third-party security risk management program. 15. Firewall, intrusion detection and prevention systems. 16. Managed services provider (MSP) or managed security services provider (MSSP). 17. Cyber risk insurance. Common Cybersecurity Best Practices
  • 9.
    Ancient Cybersecurity Wisdom “Watershapes its course according to the nature of the ground over which it flows; the soldier works out his victory in relation to the foe whom he is facing.” “In all fighting the direct method may be used for joining battle, but indirect methods will be needed to secure victory.”
  • 10.
    Lesson: Evaluate andaudit third-parties’ security • In re GMR Transcription Svcs., Inc., Consent Order (Aug. 14, 2014). • FTC’s Order requires business to follow 3 steps when working with third-party service providers: 1. Investigate before hiring data service providers 2. Obligate data service providers to adhere to the appropriate level of data security protections 3. Verify that the data service providers are complying with obligations (contracts)
  • 11.
    Lesson: Evaluate andaudit third-parties’ security In January 2014, SEC indicates that the new standard of care for companies may require policies in place for: 1. Prevention, detection, and response to cyber attacks and data breaches, 2. IT training focused on security, and 3. Vendor access to company systems and vendor due diligence.
  • 12.
    NIST Cybersecurity Framework(prop. ver. 1.1) • Adds “Supply Chain Risk Management (SCRM)” as a “Framework Core” function • Coordinate cybersecurity efforts with suppliers of IT and OT (operational technology) partners • Enact cybersecurity requirements through contracts; • Communicate how cybersecurity standards will be verified and validated; and • Verify cybersecurity standards are met.
  • 13.
    Lesson: Know yourcontractual obligations • Addendum to business contracts • Common names: Data Security & Privacy Agreement; Data Privacy; Cybersecurity; Privacy; Information Security • Common features: • Defines subject “Data” / “Network” protected in categories • Establishes acceptable and prohibited uses for Data / Network • Establishes standards for protecting Data / Network (3rd / Nth) • Allocates obligations and responsibility for incident • Notice, roles, expenses • Requires binding third-parties to similar provisions
  • 14.
    New York Departmentof Financial Services Cybersecurity (NYDFS) Requirements for Financial Services Companies + [fill in] • All NY “financial institutions” + third party service providers. • Third party service providers – examine, obligate, audit. • Establish Cybersecurity Program (w/ specifics): • Logging, Data Classification, IDS, IPS; • Pen Testing, Vulnerability Assessments, Risk Assessment; and • Encryption, Access Controls. • Adopt Cybersecurity Policies. • Designate qualified CISO to be responsible. • Adequate cybersecurity personnel and intelligence. • Personnel Policies & Procedures, Training, Written IRP. • Chairman or Senior Officer Certify Compliance.
  • 15.
    Third Party Service Provider SecurityPolicy Section 500.11 “Each Covered Entity shall implement written policies and procedures designed to ensure the security of Information Systems and Nonpublic Information that are accessible to, or held by, Third Party Service Providers.” • P&P should be based on CE’s Risk Assessment and address the following, as applicable: • The identification and risk assessment of TPSPs; • Minimum CP required by TPSP to do business with CE; • Due diligence process used to evaluate the adequacy of CP by such TPSP; • Periodic assessment of such TPSP based on risk they present and continued adequacy of their CP. • P&P shall include relevant guidelines for due diligence and/or contractual protections relating to TPSP and applicable guidelines addressing: • TPSP’s P&P for access controls and MFA to IS / NPI • TPSP’s P&P for use of encryption in transit and at rest; • Notice to be provided to CE for Cybersecurity Event; and • Reps and warranties addressing TPSP’s cybersecurity P&P NEW YORK DEPARTMENT OF FINANCIAL SERVICES CYBERSECURITY REGULATIONS
  • 16.
    EU – GeneralData Protection Regulation (GDPR) • Goal: Protect all EU citizens from privacy and data breaches. • When: May 25, 2018. • Reach: Applies to all companies (controllers and processors): • Processing data of EU residents (regardless of where processing), • In the EU (regardless of where processing), or • Offering goods or services to EU citizens or monitoring behavior in EU. • Penalties: up to 4% global turnover or €20 Million (whichever is greater). • Remedies: data subjects have judicial remedies, right to damages. • Data subject rights: • Breach notification – 72 hrs to DPA; “without undue delay” to data subjects. • Right to access – provide confirmation of processing and electronic copy (free). • Data erasure – right to be forgotten, erase, cease dissemination or processing. • Data portability – receive previously provided data in common elect. format. • Privacy by design – include data protection from the onset of designing systems.
  • 17.
    Third Party Processing and RiskUnder the GDPR • Controller, individually or with other controllers (jointly and severally), is responsible to the data subjects. Art. 26 • Processor only process on controller’s instructions. Art. 29 • Using a risk assessment, the controller must implement appropriate technical and organizational safeguards (incl. P&P) to ensure personal data is processed lawfully. Reassessment and maturation is required. Art. 24(1) • Controller shall use only processors providing sufficient guarantees to implement appropriate technical and organizational measures to satisfy GDPR. Art. 28 • Processor must have controller’s written authorization to engage another sub-processor; • Processor must have binding contract with controller specifying particulars of processing; • Processor must be bound to confidentiality; • Processor must demonstrate compliance and agree to audits and inspections; • Nth processors liable to upstream processor, which is liable to the controller, which is ultimately liable. • Non-regulated controllers and processors can contractually agree to be bound. Art. 42 EUROPEAN UNION GENERAL DATA PROTECTION REGS.
  • 18.
  • 19.
    “It’s not ourfault!” • Private security firm’s job applicants’ personal data (including identification of those with Top Secret security clearances) is exposed on an unsecured Amazon server. • Firm says it wasn’t its fault, it was fault of its third-party vendor that we hired to process new job applications that left the data exposed. • Former CIA, NSA, Secret Service • Names, home addresses, telephone numbers, email addresses • Applicant transported nuclear activation codes • Applicant was “warden advisor” at Abu Ghraib black site • Who do you think is responsible? • Do you think a better contract would have helped? • What would have helped prevent this?
  • 20.
    “We can’t affordit” • MegaCorp is a global leader in biotechnology and one of the world’s wealthiest companies. MegaCorp developed new highly confidential and proprietary bio-authentication technology that could solve the world’s cybersecurity problem by setting access rights to data based on users’ unique DNA. • MegaCorp recognizes the cyber threat and has state-of-the-art cybersecurity for its network, having a larger cybersecurity budget than the revenue of many biotech companies. • For testing to prove the technology works, MegaCorp turns to the 4 best biotech research facilities, known for the quality and integrity of their research, not their profitability. • MegaCorp’s contracts with the facilities requires they maintain security and confidentiality of its intellectual property (IP).
  • 21.
    “We can’t affordit” (cont.) • During testing for MegaCorp, Research1 discovers an intrusion in its network. Due to budget limitations, its “IT guy” calls his buddy to do “forensics” and discover Research1’s network was being used to mine Bitcoin. They block the hacker and conclude “no problem.” • Two weeks later Research1 gets hit with ransomware and a demand for $100,000 paid in Bitcoin. IT guy was able to restore the network from backups so he sent a taunting email to the hacker, just for fun. He also ignored that lawyer who warns of possible persistent attack and said it may be a legal breach. • One week later the hacker emails Research1’s Board of Directors saying they have MegaCorp’s data, demand $1million which it can’t afford to pay.
  • 22.
    Lessons from “Wecan’t afford it!” • Larger enterprises have a better appreciation of cyber risk and spend more resources on it. SMBs are not there … yet … still thinking, “we can’t afford it,” is justifiable. • Does the harm to MegaCorp’s IP change depending on whether taken from it or Research1? • MegaCorp would crush Research1 in a lawsuit … so what? • MegaCorp would have gladly paid the $1million ransom to try and protect its IP, even with no guarantee. • What contractual terms would have helped MegaCorp? • What practical discussions would have helped MegaCorp? • What risk transfer devices would have helped? • What technology would have helped?
  • 23.
  • 24.
    Focus on basicprinciples • Two primary reasons for cybersecurity in contracting are to: • Minimize risk, including third-party risk; and • Determine the process and responsibility for incidents. • Risk can be reduced to two basic things: protecting – wherever and however – and responding to incidents concerning: • Networks • Data
  • 25.
    Checklist: Using contractsto manage third-party risk Focus on objectives: protecting, responding, responsibility of data/network Staff appropriately Understand facts of relationship/transaction Understand risks by thinking worst case scenario from outset Minimalize risks: do not risk it if you do not have to Discuss objectives, facts, risks, protection with those responsible Assess third-party’s sophistication and commitment Agree upon appropriate protections Investigate ability to comply Obligate compliance, notification (to you), responsibility Include in incident response planning Cyber Insurance: transfer risk where possible
  • 26.
    • Board ofDirectors & GeneralCounsel, Cyber Future Foundation • Board of Advisors, NorthTexas Cyber Forensics Lab • Policy Council, NationalTechnology Security Coalition • CybersecurityTask Force, IntelligentTransportation Society of America • Cybersecurity & Data Privacy LawTrailblazers, National Law Journal (2016) • SuperLawyersTop 100 Lawyers in Dallas (2016) • SuperLawyers 2015-16 (IP Litigation) • Best Lawyers in Dallas 2014-16, D Magazine (Digital Information Law) • Council, Computer &Technology Section, State Bar ofTexas • Privacy and Data Security Committee of the State Bar ofTexas • College of the State Bar ofTexas • Board of Directors, CollinCounty Bench Bar Conference • Past Chair,Civil Litigation &Appellate Section, CollinCounty Bar Association • Information Security Committee of the Section on Science &Technology Committee of the American BarAssociation • NorthTexas Crime Commission, Cybercrime Committee & Infragard (FBI) • InternationalAssociation of Privacy Professionals (IAPP) • Board of Advisors Office of CISO, Optiv Security Shawn Tuma Cybersecurity Partner Scheef & Stone, L.L.P. 214.472.2135 shawn.tuma@solidcounsel.com @shawnetuma blog: www.shawnetuma.com web: www.solidcounsel.com