SlideShare a Scribd company logo

Dave Stampley - Reasonable Security - Security BSides NOLA 2015

Dave Stampley
Dave Stampley

Defining Reasonable Security, Dave Stampley, Security BSides - New Orleans - May 30, 2015

1 of 20
Download to read offline
      Bio: David A. Stampley, CIPP, is a partner at KamberLaw in New York. He has specialized in data privacy and security compliance for over 15 years. Currently, he litigates information- technology-related class actions. His prior roles include regulatory enforcement (New York Attorney General’s Office), privacy officer (a Fortune1000 B2B technology provider), and consultant and general counsel (Neohapsis). He started his legal career as an Assistant District Attorney in the Manhattan D.A.’s Office. Preview of conclusion: In every role I’ve had in the practice of privacy/security law, I’ve advocated for what should be considered reasonable or unreasonable by my client, or should have been considered reasonable or unreasonable by the other party in a court case. • I started the same place discussed today—the laws, regulations, and cases—and the rule of reasonableness. • And then I looked at what rules there were in security literature—standards organizations, textbooks, vendor documentation. • But, inevitably, I started calling people—I/S professionals, and asked them what they considered good/bad, acceptable/unacceptable; why; and how they draw the line. I asked them what they observed in practice and wwhat they saw their peers in other organizations doing. I asked how they would back up their positions if challenged. That’s what I did, before advising upper management when I was in-house, or taking a position in court—I asked the kind of people in this this room, because the answer is already there. If a court then made a decision, that doesn’t mean a particular practice suddenly became reasonable or unreasonable. It means it already was.
            2014 topic was “Who defines ‘reasonable security’? – Lessons from courts and regulators. Some key takeaways: • Wyndham case: FTC exercise of unfairness jurisdiction. Wyndham said it wasn’t on notice of unreasonableness. • Target case: CEOs affected? Maybe, but not through the courts. Security vendors on the hook? Not likely to be a major trend yet. • Why is “reasonable security” not more defined in enforcement actions/cases? • Regulatory constraints and prosecutorial discretion: awareness, resources & priorities, provability, litigation risk • Class action constraints: consumer awareness, standing, certifiability, resources, provability, litigation risk & cost (long duration of litigation on contingency) • Result: Many security failures go unaddressed. 2014 session emphasized definition of “reasonable security” after the question was put to the test in enforcement and court actions. But if regulators and courts haven’t yet answered the question, how do I/S professionals determine what’s reasonable? Would it really help if the government came up with an answer?
        Assumptions about target audience for this presentation: • I/S professionals are trying to do their jobs. However, I/S is often viewed as a cost center. Communicating needs & getting budget $ for security can be a struggle. But regardless of who makes the go/nogo decision on security measures, if there’s a security failure, I/S is likely to be a target for blame. • Many I/S professionals believe clearer rules about what is “reasonable” would support their mission. So who defines “reasonable security”? In this 2015 session, the answer is the same as last year —if I/S professionals want a workable definition, it’s incumbent on the I/S community to come up with it, since it has the expertise. • Last year I advocated for security experts and thought leaders to coalesce & be heard. • This year, we’ll work toward the answer from a different angle--the front line. That’s where the definition of reasonable security happens. 3
      Our starting point is the same as last year—the dictionary definition of “reasonable.” • What is considered reasonable may vary with circumstances. If that’s the case, you can’t expect regulators or courts to define it for every circumstance. Instead, regulations tend to be general and follow this definition. See, e.g., GLBA Safeguards Rules • You might be thinking, “That’s no help.” But the expectation is that an organization, informed by I/S professionals, can figure it out. If “reasonable” care is “ordinary” care, what is “ordinary”? It’s a level of care that any “competent [I/S professional] engaged in the same line of business would exercise under similar circumstances.” • What does that tell you? Under the law, the idea isn’t that someone is playing hide the ball, not telling you the rule, and later playing gotcha. The expectation is that you already know what you need to know to figure it out. [Refer back to FTC & class action case lists. Would you need a specific rule to tell you...?]
    [Recap FTC jurisdiction] • Prohibits unfair or deceptive acts or practices (may include omission). [Recap Wyndham, LabMD discussion from last year—”we didn’t know the standards”; current status] • Some argue that the FTC’s current authority isn’t enough to bring actions against companies for data breaches, espec. under unfairness jurisdiction.
            Would you need a more specific legal rule to tell you whether the alleged practices are sub- standard and unreasonable? [Discuss Verizon: • FTC closing letters • Value of prompt mitigation and cooperative response to regulatory inquiry. • Recap from 2014: Recognition of enforcement body’s need to prioritize spending taxpayer dollars.] [Recap 2014 discussion. FTC and state AGs don’t--and can’t—bring enforcement actions for every security failure. • Jurisdiction (Wyndham challenge to FTC unfairness jurisdiction). • Enforcement priorities discussed previously. • Non-transparency—not every failure can be seen, so consumers and other businesses bear the costs.]
                Would you need a more specific legal rule to tell you the whether alleged practices are sub- standard and unreasonable? [Recap 2014 discussion of barriers to relief in class action: Non-transparency: consumers may not know to bring cases because may not know who harmed them, or even that they were harmed. Litigation risks, winnows down likelihood of relief: Cases handled on contingency, long duration, multiple motions to dismiss, availability of competent experts, costly expert discovery, technical sophistication of courts Jurisdictions requiring plaintiff reliance on specific misrepresentations. Certifiability of class. Standing.] Target: Last year, discussion in I/S community of whether security vendors like Trustwave would be held liable for breaches. Not major trend so far. Garvey v. Hulu: Appeal issue of VPPA knowledge element. Did Hulu know what was sent to Facebook through Hulu’s implementation of Like button. Target, Yahoo, Spokeo: Biggest issue = standing • • • • • • • • 7
One rule is—don’t rely on predictions. Another is don’t hold your breath waiting for enforcers and courts to make the rules. Will there be a next wave, focused on data breaches? Maybe. But just remember that lawyers and reporters may be prone to making attention-getting predictions. There’s already a history of private litigation in response to data breaches.
Returning to definition of “reasonable”--a key takeaway is, you don’t have to wait for someone else to make rules because “everybody knows that.” [2014 analogy: It doesn’t take a written rule to tell you to get the kids’ soccer team inside when you see a thunderstorm.] [Refer back to Black’s definition of reasonable & case overviews.]
    Many states have “baby UDAP” statutes. NY GBL § 349 provides useful angle in determining what is reasonable—the reasonable consumer. • Organization can’t count on defense of “good heart, empty head.” Did company promise reasonable security and fail to deliver? [Recap Wyndham discussion from last year—”we didn’t know the standards”; current status] “Website Security Flaw Costs ZD,” Brian McWilliams, Wired, Aug. 28, 2002 (regarding N.Y. Attorney General settlement with Ziff Davis Media for online exposure of subscriber information database): In a statement, New York-based Ziff Davis said Wednesday that it had not broken any laws, and the company termed the incident “a one-time online security violation ... caused by a coding error.” Stampley said he was "surprised and disappointed" at Ziff Davis' characterization of the facts of the case. "Acts such as failing to use SSL encryption and disabling Web server logging indicate an ongoing failure to follow standard security practices.” • Requires thinking ahead and considering consequences. Not just a question of does system do what we want, but whether someone else can use it in unwanted way.
        FTC’s safeguards rule under the GLBA useful in understanding that: • reasonable security isn’t one-size-fits-all—what is reasonable depends on the organization • the organization is expected to be able to figure it out. Many I/S professionals have been challenged within their organizations to “show me where the law says we have to do that.” The reasonableness standards under federal and state laws and regulations are where. Takeaways: • I/S professionals don’t have to become lawyers to determine position on reasonable security. • I/S professionals do need to inform other actors in the organization, so reasonably foreseeable risks can be evaluated in context.
              Good to be aware, but understand that lobbying positions aren’t rules or predictions I/S can count on or a reason for inaction. Plus, there may be strategic and tactical reasons for those positions that aren’t apparent. • If there is a compliance “minefield,” why? Specific examples? How much of it consists of pre-existing laws? How different are the laws? Do consumers face any minefield of their own? Are they hurt/helped by a compliance minefield? Who bears costs of security compliance & failure? • Would “one, consistent federal standard” that trumps everything else give I/S desirable rules? (Refer back to laws/cases). From a consumer advocate’s perspective, these would be potential effects of “one standard”: • weak standard that trumps better laws and further diminishes opportunities for healthy enforcement (refer back to constraints on regulatory enforcement and class actions) • continues to shift the burden of losses to consumers • puts organizations that want to do the right thing at a competitive disadvantage • disincentivizes development of a more trustworthy and robust marketplace—what looks like benefit to shareholder value is long-run loss of opportunity to maximize • and still won’t give I/S rules that are specific to the circumstances of the organization. There may be very good bases for some policy arguments—but they are still just arguments. For I/S, don’t drink the Kool-Aid. Your organization needs you to have a clear head and be able to communicative objectively to those in organization who rely on I/S’s advice.
    Plus, I/S can’t count on the outcome of policy and legal arguments. • [Example of Hulu defense that VPPA didn’t apply to streaming video] • From 14 years ago—”Internet Privacy; Enforcement Actions,” David Medine and Christine Varney, National Law Journal, Aug. 6, 2001: “The FTC has treated Web site privacy policies as ‘representations,’ subjecting them to scrutiny under the act, thus transforming a decades-old consumer protection law into a comprehensive, modern privacy statute.” Perhaps the authors weren’t saying that the law was stale and shouldn’t apply to website privacy policies—but “transforming a decades old law” is a debatable characterization. The law was there and applied to commerce. Commerce moved online. The law was applied where commerce was taking place. Deploying a new technology application doesn’t put the application beyond the reach of laws. Remember examples from NY § 349 and FTC Safeguards Rule language: reasonably foreseeable. 3
    Bottom line: Don’t wait for someone else to tell you what the rule is. • Even if more rules are needed, even if you agree that federal standards should be established that trump other laws: there are rules already, they need to be followed, and I/S has a duty to take a leading role in defining what compliance with those rules looks like. • If policymakers devise new data security rules without meaningful I/S input, they won’t be good rules. Regardless of how rules evolve, or whether upper management is held accountable for failures, failures puts I/S professionals at risk, so you’d better speak up. [Discussion: Average CIO lifespan; I/S taking blame for breaches.]
      • But, when you speak up, or if you are in a consultative role to other I/S professionals, be mindful: If the question is “Is it reasonable,” responding with “That won’t work” isn’t a useful answer. Some I/S professionals dismiss technologies/approaches by saying “That won’t work,” when what they really mean is, “It leaves some problems unsolved” or “It can be exploited.” Does it solve some of the problem—how much? Is it a starting place? Is there a better option? Other pitfalls: • Saying that the sky is falling, and saying it often. The sky is usually not falling. Some I/S professionals treat security issues as crises when they are not, or fail to distinguish among levels of seriousness. Sometimes internal clients do this—not necessarily motivated by security. • Failure to document compliance efforts. [Refer back to Safeguards Rule.] Thinking about what’s reasonable, planning for it, documenting decisions shows attention to the issues. It’s not only an important part of maintaining institutional memory and continuity, it can validate the reasonableness of efforts, even if failure occurs. [Refer back to GLBA Safeguards Rule—documented program.]
      • Don’t pre-judge compliance failure. Based on my experience, some employees (out of vigilance or even internal jockeying) raise security issues with e-mails to too many recipients saying “We’re non-compliant.” Sometimes it’s I/S, or other employees referring to I/S issues. • “We’re non-compliant” is not documenting compliance effort. It’s probably a legal conclusion that should be left to lawyers to make. • It may be the wrong conclusion. There may be mitigating factors. But what the e- mail does is create a record that can be used as evidence against the organization, even if the conclusion is incorrect. (That may be one of several reasons that your lawyers may ask I/S to direct compliance concerns to them.) Part of incident response should include how to communicate about potential issues that require attention [Refer back to Safeguards Rule.] Remember that, while I/S should be defining reasonable security from the I/S perspective, defining what that looks like for the organization involves others in the organization.
      Think back to cases discussed—was unreasonableness obvious? If what’s reasonable seems hard ot pinpoint, start by defining what is out of bounds. Rely on your expertise to define a starting point for what’s reasonable, as input to organizational determination. Back yourself up—if you believe certain practices are reasonable/unreasonable, there’s a reason why. What is industry practice? Get input from colleagues in other organizations who are “prudent and competent person[s] engaged in the same line of business or endeavor” facing “similar circumstances.” Refer to I/S organization publications. I often hear I/S professionals say “there’s no proof” of what’s reasonable. Your word is a form of proof. You don’t get a guarantee of absolute proof, but your credibility is evidence, and if you back up your position, it’s even stronger evidence. Then you’re ready to talk to your lawyer with information your lawyer needs, instead of just asking what the rule is. Just as with some I/S professionals, some lawyers have a highly risk-averse “that won’t work” approach, but at least you’ll be in a position to give your lawyers information they need. 7 • • •
    [Discussion: What do you do if you believe there’s a compliance failure and no one listens? Steps to protect yourself... ethical/moral issues.] • The actions of I/S professionals matter in people’s lives. Right now, ask yourself: At one point might it be necessary to sound an alarm and maybe put your job at risk —or to walk away? What would make it hard to look yourself in the mirror in the morning? What are the reasonably foreseeable risks? These are hard questions that sound dramatic, but those kinds of challenges can come up, and when they do, they are dramatic. Ask yourself now, because these questions may be harder to answer when you’re in the middle of a situation in which the answers might matter. • By asking yourself those questions—about where the line is between reasonable and unreasonable—you may gain clarity that will help in communicating the more everyday answers about what reasonable security looks like. “Success is never final and failure never fatal. It’s courage that counts.” — Attributed to George F. Tilton
  [Discussion--being heard: Comment period for regulations and standards.] • Process is critical. It’s not just what you do, but how you do it, as a team, redundantly.
!       Preview of conclusion: In every role I’ve had in the practice of privacy/security law, I’ve advocated for what should be considered reasonable or unreasonable by my client, or should have been considered reasonable or unreasonable by the other party in a court case. ! • I started the same place discussed today—the laws, regulations, and cases—and the rule of reasonableness.! • And then I looked at what rules there were in security literature—standards organizations, textbooks, vendor documentation.! • But, inevitably, I started calling people—I/S professionals, and asked them what they considered good/bad, acceptable/unacceptable; why; and how they draw the line. I asked them what they observed in practice and wwhat they saw their peers in other organizations doing. I asked how they would back up their positions if challenged.! That’s what I did, before advising upper management when I was in-house, or taking a position in court—I asked the kind of people in this this room, because the answer is already there. If a court then made a decision, that doesn’t mean a particular practice suddenly became reasonable or unreasonable. It means it already was.! What reasonable security looks like down the road is for you to decide—maybe not alone— but the security expertise is yoursThe rest of us are relying—reasonably so--on I/S professionals, individually, and the I/S community, collectively, to tell us. ! 20

Recommended

Cyber Insurance CLE
Cyber Insurance CLE Cyber Insurance CLE
Cyber Insurance CLE
Sarah Stogner
 
Understanding Legal Technology Competence with Bob Ambrogi and Joshua Lenon
Understanding Legal Technology Competence with Bob Ambrogi and Joshua LenonUnderstanding Legal Technology Competence with Bob Ambrogi and Joshua Lenon
Understanding Legal Technology Competence with Bob Ambrogi and Joshua Lenon
Clio - Cloud-Based Legal Technology
 
Webb brisbane presentation
Webb brisbane presentationWebb brisbane presentation
Webb brisbane presentation
Julian Webb
 
IQPC NY Financial Conference on eDiscovery: Legal Speaks Greek and IT Speaks ...
IQPC NY Financial Conference on eDiscovery: Legal Speaks Greek and IT Speaks ...IQPC NY Financial Conference on eDiscovery: Legal Speaks Greek and IT Speaks ...
IQPC NY Financial Conference on eDiscovery: Legal Speaks Greek and IT Speaks ...
J. David Morris
 
Cybersecurity Legal Trends: The Evolving Standard of Care for Companies and M...
Cybersecurity Legal Trends: The Evolving Standard of Care for Companies and M...Cybersecurity Legal Trends: The Evolving Standard of Care for Companies and M...
Cybersecurity Legal Trends: The Evolving Standard of Care for Companies and M...
Shawn Tuma
 
Professionalism and Civility in Electronic Discovery
Professionalism and Civility in Electronic DiscoveryProfessionalism and Civility in Electronic Discovery
Professionalism and Civility in Electronic DiscoveryParsons Behle & Latimer
 
Data Breach Response: Realtime Cyber Incident Simulation
Data Breach Response: Realtime Cyber Incident SimulationData Breach Response: Realtime Cyber Incident Simulation
Data Breach Response: Realtime Cyber Incident Simulation
Bradley Arant Boult Cummings LLP
 
Privacy Best Practices for Lawyers: What Every Law Practice Needs to Know Abo...
Privacy Best Practices for Lawyers: What Every Law Practice Needs to Know Abo...Privacy Best Practices for Lawyers: What Every Law Practice Needs to Know Abo...
Privacy Best Practices for Lawyers: What Every Law Practice Needs to Know Abo...
Diana Maier
 

Recommended

Cyber Insurance CLE
Cyber Insurance CLE Cyber Insurance CLE
Cyber Insurance CLE
Sarah Stogner
 
Understanding Legal Technology Competence with Bob Ambrogi and Joshua Lenon
Understanding Legal Technology Competence with Bob Ambrogi and Joshua LenonUnderstanding Legal Technology Competence with Bob Ambrogi and Joshua Lenon
Understanding Legal Technology Competence with Bob Ambrogi and Joshua Lenon
Clio - Cloud-Based Legal Technology
 
Webb brisbane presentation
Webb brisbane presentationWebb brisbane presentation
Webb brisbane presentation
Julian Webb
 
IQPC NY Financial Conference on eDiscovery: Legal Speaks Greek and IT Speaks ...
IQPC NY Financial Conference on eDiscovery: Legal Speaks Greek and IT Speaks ...IQPC NY Financial Conference on eDiscovery: Legal Speaks Greek and IT Speaks ...
IQPC NY Financial Conference on eDiscovery: Legal Speaks Greek and IT Speaks ...
J. David Morris
 
Cybersecurity Legal Trends: The Evolving Standard of Care for Companies and M...
Cybersecurity Legal Trends: The Evolving Standard of Care for Companies and M...Cybersecurity Legal Trends: The Evolving Standard of Care for Companies and M...
Cybersecurity Legal Trends: The Evolving Standard of Care for Companies and M...
Shawn Tuma
 
Professionalism and Civility in Electronic Discovery
Professionalism and Civility in Electronic DiscoveryProfessionalism and Civility in Electronic Discovery
Professionalism and Civility in Electronic DiscoveryParsons Behle & Latimer
 
Data Breach Response: Realtime Cyber Incident Simulation
Data Breach Response: Realtime Cyber Incident SimulationData Breach Response: Realtime Cyber Incident Simulation
Data Breach Response: Realtime Cyber Incident Simulation
Bradley Arant Boult Cummings LLP
 
Privacy Best Practices for Lawyers: What Every Law Practice Needs to Know Abo...
Privacy Best Practices for Lawyers: What Every Law Practice Needs to Know Abo...Privacy Best Practices for Lawyers: What Every Law Practice Needs to Know Abo...
Privacy Best Practices for Lawyers: What Every Law Practice Needs to Know Abo...
Diana Maier
 
The Diamond Datascram Diaries: Diamond Datascram Development
The Diamond Datascram Diaries: Diamond Datascram Development The Diamond Datascram Diaries: Diamond Datascram Development
The Diamond Datascram Diaries: Diamond Datascram Development
Polsinelli PC
 
Hot Topics in Data Breach Litigation
Hot Topics in Data Breach LitigationHot Topics in Data Breach Litigation
Hot Topics in Data Breach Litigation
Bradley Arant Boult Cummings LLP
 
A Modern Look at Contractors v. Employees
A Modern Look at Contractors v. EmployeesA Modern Look at Contractors v. Employees
A Modern Look at Contractors v. Employees
Diana Maier
 
Lou Chang's ADR and Mediation News - December 2013
Lou Chang's ADR and Mediation News - December 2013Lou Chang's ADR and Mediation News - December 2013
Lou Chang's ADR and Mediation News - December 2013virtualmediationlab
 
30 Law Practice Management Tips
30 Law Practice Management Tips30 Law Practice Management Tips
30 Law Practice Management Tips
lgladm59
 
Sapient Catelas The New Regulatory Paradigm
Sapient Catelas The New Regulatory ParadigmSapient Catelas The New Regulatory Paradigm
Sapient Catelas The New Regulatory Paradigm
Eddie Cogan
 
Privacy Breaches - The Private Sector Perspective
Privacy Breaches - The Private Sector PerspectivePrivacy Breaches - The Private Sector Perspective
Privacy Breaches - The Private Sector Perspective
canadianlawyer
 
Converging ethics, governance, and culture
Converging ethics, governance, and cultureConverging ethics, governance, and culture
Converging ethics, governance, and culture
Business Integrity Alliance
 
Looking Forward - Regulators and Data Incidents
Looking Forward - Regulators and Data IncidentsLooking Forward - Regulators and Data Incidents
Looking Forward - Regulators and Data Incidents
Resilient Systems
 
How versus what
How versus whatHow versus what
How versus what
Thomas Lord
 
Legal Issues Impacting Data Center Owners, Operators & Users
Legal Issues Impacting Data Center Owners, Operators & UsersLegal Issues Impacting Data Center Owners, Operators & Users
Legal Issues Impacting Data Center Owners, Operators & Users
jyates
 
Encouraging Internal Compliance Communication Webinar
Encouraging Internal Compliance Communication WebinarEncouraging Internal Compliance Communication Webinar
Encouraging Internal Compliance Communication Webinar
Case IQ
 
Law Office Administration & Organization
Law Office Administration & OrganizationLaw Office Administration & Organization
Law Office Administration & Organization
Marie Tucker
 
SANS WhatWorks - Compliance & DLP
SANS WhatWorks - Compliance & DLPSANS WhatWorks - Compliance & DLP
SANS WhatWorks - Compliance & DLP
Nick Selby
 
How to Build and Implement your Company's Information Security Program
How to Build and Implement your Company's Information Security ProgramHow to Build and Implement your Company's Information Security Program
How to Build and Implement your Company's Information Security Program
Financial Poise
 
Cloud Security Law Issues--an Overview
Cloud Security Law Issues--an OverviewCloud Security Law Issues--an Overview
Cloud Security Law Issues--an Overview
Michael C. Keeling, Esq.
 
Data Breaches: The Cost of Being Unprepared
Data Breaches: The Cost of Being UnpreparedData Breaches: The Cost of Being Unprepared
Data Breaches: The Cost of Being Unpreparedhaynormania
 
IJIS Institute_ Governance Agreements in PS Information Sharing Projects (Aug...
IJIS Institute_ Governance Agreements in PS Information Sharing Projects (Aug...IJIS Institute_ Governance Agreements in PS Information Sharing Projects (Aug...
IJIS Institute_ Governance Agreements in PS Information Sharing Projects (Aug...Becky Ward
 
Setting up an Effective Security and Compliance Office
Setting up an Effective Security and Compliance OfficeSetting up an Effective Security and Compliance Office
Setting up an Effective Security and Compliance Office
Cloud Watchmen Inc.
 
Hot Topics in Corporate Whistleblower Protections
Hot Topics in Corporate Whistleblower ProtectionsHot Topics in Corporate Whistleblower Protections
Hot Topics in Corporate Whistleblower Protections
Zuckerman Law Whistleblower Protection Law Firm
 
Journey with MG Booklet_final
Journey with MG Booklet_finalJourney with MG Booklet_final
Journey with MG Booklet_finalRachel Grant
 
Redes de telecomunicaciones
Redes de telecomunicacionesRedes de telecomunicaciones
Redes de telecomunicaciones
Maria Auxiliadora Ospina Romero
 

More Related Content

What's hot

The Diamond Datascram Diaries: Diamond Datascram Development
The Diamond Datascram Diaries: Diamond Datascram Development The Diamond Datascram Diaries: Diamond Datascram Development
The Diamond Datascram Diaries: Diamond Datascram Development
Polsinelli PC
 
Hot Topics in Data Breach Litigation
Hot Topics in Data Breach LitigationHot Topics in Data Breach Litigation
Hot Topics in Data Breach Litigation
Bradley Arant Boult Cummings LLP
 
A Modern Look at Contractors v. Employees
A Modern Look at Contractors v. EmployeesA Modern Look at Contractors v. Employees
A Modern Look at Contractors v. Employees
Diana Maier
 
Lou Chang's ADR and Mediation News - December 2013
Lou Chang's ADR and Mediation News - December 2013Lou Chang's ADR and Mediation News - December 2013
Lou Chang's ADR and Mediation News - December 2013virtualmediationlab
 
30 Law Practice Management Tips
30 Law Practice Management Tips30 Law Practice Management Tips
30 Law Practice Management Tips
lgladm59
 
Sapient Catelas The New Regulatory Paradigm
Sapient Catelas The New Regulatory ParadigmSapient Catelas The New Regulatory Paradigm
Sapient Catelas The New Regulatory Paradigm
Eddie Cogan
 
Privacy Breaches - The Private Sector Perspective
Privacy Breaches - The Private Sector PerspectivePrivacy Breaches - The Private Sector Perspective
Privacy Breaches - The Private Sector Perspective
canadianlawyer
 
Converging ethics, governance, and culture
Converging ethics, governance, and cultureConverging ethics, governance, and culture
Converging ethics, governance, and culture
Business Integrity Alliance
 
Looking Forward - Regulators and Data Incidents
Looking Forward - Regulators and Data IncidentsLooking Forward - Regulators and Data Incidents
Looking Forward - Regulators and Data Incidents
Resilient Systems
 
How versus what
How versus whatHow versus what
How versus what
Thomas Lord
 
Legal Issues Impacting Data Center Owners, Operators & Users
Legal Issues Impacting Data Center Owners, Operators & UsersLegal Issues Impacting Data Center Owners, Operators & Users
Legal Issues Impacting Data Center Owners, Operators & Users
jyates
 
Encouraging Internal Compliance Communication Webinar
Encouraging Internal Compliance Communication WebinarEncouraging Internal Compliance Communication Webinar
Encouraging Internal Compliance Communication Webinar
Case IQ
 
Law Office Administration & Organization
Law Office Administration & OrganizationLaw Office Administration & Organization
Law Office Administration & Organization
Marie Tucker
 
SANS WhatWorks - Compliance & DLP
SANS WhatWorks - Compliance & DLPSANS WhatWorks - Compliance & DLP
SANS WhatWorks - Compliance & DLP
Nick Selby
 
How to Build and Implement your Company's Information Security Program
How to Build and Implement your Company's Information Security ProgramHow to Build and Implement your Company's Information Security Program
How to Build and Implement your Company's Information Security Program
Financial Poise
 
Cloud Security Law Issues--an Overview
Cloud Security Law Issues--an OverviewCloud Security Law Issues--an Overview
Cloud Security Law Issues--an Overview
Michael C. Keeling, Esq.
 
Data Breaches: The Cost of Being Unprepared
Data Breaches: The Cost of Being UnpreparedData Breaches: The Cost of Being Unprepared
Data Breaches: The Cost of Being Unpreparedhaynormania
 
IJIS Institute_ Governance Agreements in PS Information Sharing Projects (Aug...
IJIS Institute_ Governance Agreements in PS Information Sharing Projects (Aug...IJIS Institute_ Governance Agreements in PS Information Sharing Projects (Aug...
IJIS Institute_ Governance Agreements in PS Information Sharing Projects (Aug...Becky Ward
 
Setting up an Effective Security and Compliance Office
Setting up an Effective Security and Compliance OfficeSetting up an Effective Security and Compliance Office
Setting up an Effective Security and Compliance Office
Cloud Watchmen Inc.
 
Hot Topics in Corporate Whistleblower Protections
Hot Topics in Corporate Whistleblower ProtectionsHot Topics in Corporate Whistleblower Protections
Hot Topics in Corporate Whistleblower Protections
Zuckerman Law Whistleblower Protection Law Firm
 

What's hot (20)

The Diamond Datascram Diaries: Diamond Datascram Development
The Diamond Datascram Diaries: Diamond Datascram Development The Diamond Datascram Diaries: Diamond Datascram Development
The Diamond Datascram Diaries: Diamond Datascram Development
 
Hot Topics in Data Breach Litigation
Hot Topics in Data Breach LitigationHot Topics in Data Breach Litigation
Hot Topics in Data Breach Litigation
 
A Modern Look at Contractors v. Employees
A Modern Look at Contractors v. EmployeesA Modern Look at Contractors v. Employees
A Modern Look at Contractors v. Employees
 
Lou Chang's ADR and Mediation News - December 2013
Lou Chang's ADR and Mediation News - December 2013Lou Chang's ADR and Mediation News - December 2013
Lou Chang's ADR and Mediation News - December 2013
 
30 Law Practice Management Tips
30 Law Practice Management Tips30 Law Practice Management Tips
30 Law Practice Management Tips
 
Sapient Catelas The New Regulatory Paradigm
Sapient Catelas The New Regulatory ParadigmSapient Catelas The New Regulatory Paradigm
Sapient Catelas The New Regulatory Paradigm
 
Privacy Breaches - The Private Sector Perspective
Privacy Breaches - The Private Sector PerspectivePrivacy Breaches - The Private Sector Perspective
Privacy Breaches - The Private Sector Perspective
 
Converging ethics, governance, and culture
Converging ethics, governance, and cultureConverging ethics, governance, and culture
Converging ethics, governance, and culture
 
Looking Forward - Regulators and Data Incidents
Looking Forward - Regulators and Data IncidentsLooking Forward - Regulators and Data Incidents
Looking Forward - Regulators and Data Incidents
 
How versus what
How versus whatHow versus what
How versus what
 
Legal Issues Impacting Data Center Owners, Operators & Users
Legal Issues Impacting Data Center Owners, Operators & UsersLegal Issues Impacting Data Center Owners, Operators & Users
Legal Issues Impacting Data Center Owners, Operators & Users
 
Encouraging Internal Compliance Communication Webinar
Encouraging Internal Compliance Communication WebinarEncouraging Internal Compliance Communication Webinar
Encouraging Internal Compliance Communication Webinar
 
Law Office Administration & Organization
Law Office Administration & OrganizationLaw Office Administration & Organization
Law Office Administration & Organization
 
SANS WhatWorks - Compliance & DLP
SANS WhatWorks - Compliance & DLPSANS WhatWorks - Compliance & DLP
SANS WhatWorks - Compliance & DLP
 
How to Build and Implement your Company's Information Security Program
How to Build and Implement your Company's Information Security ProgramHow to Build and Implement your Company's Information Security Program
How to Build and Implement your Company's Information Security Program
 
Cloud Security Law Issues--an Overview
Cloud Security Law Issues--an OverviewCloud Security Law Issues--an Overview
Cloud Security Law Issues--an Overview
 
Data Breaches: The Cost of Being Unprepared
Data Breaches: The Cost of Being UnpreparedData Breaches: The Cost of Being Unprepared
Data Breaches: The Cost of Being Unprepared
 
IJIS Institute_ Governance Agreements in PS Information Sharing Projects (Aug...
IJIS Institute_ Governance Agreements in PS Information Sharing Projects (Aug...IJIS Institute_ Governance Agreements in PS Information Sharing Projects (Aug...
IJIS Institute_ Governance Agreements in PS Information Sharing Projects (Aug...
 
Setting up an Effective Security and Compliance Office
Setting up an Effective Security and Compliance OfficeSetting up an Effective Security and Compliance Office
Setting up an Effective Security and Compliance Office
 
Hot Topics in Corporate Whistleblower Protections
Hot Topics in Corporate Whistleblower ProtectionsHot Topics in Corporate Whistleblower Protections
Hot Topics in Corporate Whistleblower Protections
 

Viewers also liked

Journey with MG Booklet_final
Journey with MG Booklet_finalJourney with MG Booklet_final
Journey with MG Booklet_finalRachel Grant
 
Redes de telecomunicaciones
Redes de telecomunicacionesRedes de telecomunicaciones
Redes de telecomunicaciones
Maria Auxiliadora Ospina Romero
 
Windows Azure Case Study on Search Website
Windows Azure Case Study on Search WebsiteWindows Azure Case Study on Search Website
Windows Azure Case Study on Search WebsiteSaviant Consulting
 
Informática trabajo grupal word
Informática trabajo grupal wordInformática trabajo grupal word
Informática trabajo grupal word
Ana Araujo
 
2536 - 5 Ways to optimize customer experiences on mobile_02042016_ps_KH
2536 - 5 Ways to optimize customer experiences on mobile_02042016_ps_KH2536 - 5 Ways to optimize customer experiences on mobile_02042016_ps_KH
2536 - 5 Ways to optimize customer experiences on mobile_02042016_ps_KHKaren He
 
Sales Ninja Training Profile
Sales Ninja Training ProfileSales Ninja Training Profile
Sales Ninja Training Profile
Ong Michelle
 
What is the meaning behind pictures
What is the meaning behind picturesWhat is the meaning behind pictures
What is the meaning behind pictures
MovieJunk
 
CURICULMN VITE
CURICULMN VITECURICULMN VITE
CURICULMN VITEMD AKASH
 
Ablauf einer Konversion
Ablauf einer KonversionAblauf einer Konversion
Ablauf einer Konversion
Bundesanstalt für Immobilienaufgaben
 
Presentatie Rugby
Presentatie RugbyPresentatie Rugby
Presentatie Rugbylennartvb
 
OWASP Mobile TOP 10 na przykładzie aplikacji bankowych - Semafor 2016 - Mateu...
OWASP Mobile TOP 10 na przykładzie aplikacji bankowych - Semafor 2016 - Mateu...OWASP Mobile TOP 10 na przykładzie aplikacji bankowych - Semafor 2016 - Mateu...
OWASP Mobile TOP 10 na przykładzie aplikacji bankowych - Semafor 2016 - Mateu...
Logicaltrust pl
 
Audience segments. Technical aspects of audience targeting in DSP by Ivan Mic...
Audience segments. Technical aspects of audience targeting in DSP by Ivan Mic...Audience segments. Technical aspects of audience targeting in DSP by Ivan Mic...
Audience segments. Technical aspects of audience targeting in DSP by Ivan Mic...
Innovecs
 
Testy bezpieczeństwa - niesztampowe przypadki
Testy bezpieczeństwa - niesztampowe przypadkiTesty bezpieczeństwa - niesztampowe przypadki
Testy bezpieczeństwa - niesztampowe przypadki
Logicaltrust pl
 
Neurotransmisores
NeurotransmisoresNeurotransmisores
Neurotransmisores
Nutriline SRL
 
Self-directed Career Growth - BrightEdge Share16 presentation
Self-directed Career Growth - BrightEdge Share16 presentationSelf-directed Career Growth - BrightEdge Share16 presentation
Self-directed Career Growth - BrightEdge Share16 presentation
Dave Lloyd
 
Devops/Sysops security
Devops/Sysops securityDevops/Sysops security
Devops/Sysops security
Logicaltrust pl
 
TRABAJO DE TECNOLOGIA PERIODO 1
TRABAJO DE TECNOLOGIA PERIODO 1TRABAJO DE TECNOLOGIA PERIODO 1
TRABAJO DE TECNOLOGIA PERIODO 1
brandcho0511
 

Viewers also liked (20)

Journey with MG Booklet_final
Journey with MG Booklet_finalJourney with MG Booklet_final
Journey with MG Booklet_final
 
Redes de telecomunicaciones
Redes de telecomunicacionesRedes de telecomunicaciones
Redes de telecomunicaciones
 
Windows Azure Case Study on Search Website
Windows Azure Case Study on Search WebsiteWindows Azure Case Study on Search Website
Windows Azure Case Study on Search Website
 
Informática trabajo grupal word
Informática trabajo grupal wordInformática trabajo grupal word
Informática trabajo grupal word
 
2536 - 5 Ways to optimize customer experiences on mobile_02042016_ps_KH
2536 - 5 Ways to optimize customer experiences on mobile_02042016_ps_KH2536 - 5 Ways to optimize customer experiences on mobile_02042016_ps_KH
2536 - 5 Ways to optimize customer experiences on mobile_02042016_ps_KH
 
Sales Ninja Training Profile
Sales Ninja Training ProfileSales Ninja Training Profile
Sales Ninja Training Profile
 
Coleman Barracks
Coleman BarracksColeman Barracks
Coleman Barracks
 
What is the meaning behind pictures
What is the meaning behind picturesWhat is the meaning behind pictures
What is the meaning behind pictures
 
CURICULMN VITE
CURICULMN VITECURICULMN VITE
CURICULMN VITE
 
Mp-Station
Mp-StationMp-Station
Mp-Station
 
Papadol
PapadolPapadol
Papadol
 
Ablauf einer Konversion
Ablauf einer KonversionAblauf einer Konversion
Ablauf einer Konversion
 
Presentatie Rugby
Presentatie RugbyPresentatie Rugby
Presentatie Rugby
 
OWASP Mobile TOP 10 na przykładzie aplikacji bankowych - Semafor 2016 - Mateu...
OWASP Mobile TOP 10 na przykładzie aplikacji bankowych - Semafor 2016 - Mateu...OWASP Mobile TOP 10 na przykładzie aplikacji bankowych - Semafor 2016 - Mateu...
OWASP Mobile TOP 10 na przykładzie aplikacji bankowych - Semafor 2016 - Mateu...
 
Audience segments. Technical aspects of audience targeting in DSP by Ivan Mic...
Audience segments. Technical aspects of audience targeting in DSP by Ivan Mic...Audience segments. Technical aspects of audience targeting in DSP by Ivan Mic...
Audience segments. Technical aspects of audience targeting in DSP by Ivan Mic...
 
Testy bezpieczeństwa - niesztampowe przypadki
Testy bezpieczeństwa - niesztampowe przypadkiTesty bezpieczeństwa - niesztampowe przypadki
Testy bezpieczeństwa - niesztampowe przypadki
 
Neurotransmisores
NeurotransmisoresNeurotransmisores
Neurotransmisores
 
Self-directed Career Growth - BrightEdge Share16 presentation
Self-directed Career Growth - BrightEdge Share16 presentationSelf-directed Career Growth - BrightEdge Share16 presentation
Self-directed Career Growth - BrightEdge Share16 presentation
 
Devops/Sysops security
Devops/Sysops securityDevops/Sysops security
Devops/Sysops security
 
TRABAJO DE TECNOLOGIA PERIODO 1
TRABAJO DE TECNOLOGIA PERIODO 1TRABAJO DE TECNOLOGIA PERIODO 1
TRABAJO DE TECNOLOGIA PERIODO 1
 

Similar to Dave Stampley - Reasonable Security - Security BSides NOLA 2015

How to Avoid Malpractice & Disciplinary Actions - General Do's and Don'ts (Se...
How to Avoid Malpractice & Disciplinary Actions - General Do's and Don'ts (Se...How to Avoid Malpractice & Disciplinary Actions - General Do's and Don'ts (Se...
How to Avoid Malpractice & Disciplinary Actions - General Do's and Don'ts (Se...
Financial Poise
 
CII publishes new guide “Ethics for the digital age”
CII publishes new guide “Ethics for the digital age”CII publishes new guide “Ethics for the digital age”
CII publishes new guide “Ethics for the digital age”
Δρ. Γιώργος K. Κασάπης
 
Hiring Contract Security - Common Sense and Basic Guidelines for Hiring a Sec...
Hiring Contract Security - Common Sense and Basic Guidelines for Hiring a Sec...Hiring Contract Security - Common Sense and Basic Guidelines for Hiring a Sec...
Hiring Contract Security - Common Sense and Basic Guidelines for Hiring a Sec...
Tom Huskerson
 
TFW LTE 1032 ANM Assignments Position Paper Detail Submission Grade .pdf
TFW LTE 1032 ANM Assignments Position Paper Detail Submission Grade .pdfTFW LTE 1032 ANM Assignments Position Paper Detail Submission Grade .pdf
TFW LTE 1032 ANM Assignments Position Paper Detail Submission Grade .pdf
tesmondday29076
 
Overall Comments Overall you made a nice start with your U02a1 .docx
Overall Comments Overall you made a nice start with your U02a1 .docxOverall Comments Overall you made a nice start with your U02a1 .docx
Overall Comments Overall you made a nice start with your U02a1 .docx
jacksnathalie
 
Internal Investigations - 101 (Series: Corporate & Regulatory Compliance Boot...
Internal Investigations - 101 (Series: Corporate & Regulatory Compliance Boot...Internal Investigations - 101 (Series: Corporate & Regulatory Compliance Boot...
Internal Investigations - 101 (Series: Corporate & Regulatory Compliance Boot...
Financial Poise
 
Rothke Patchlink
Rothke PatchlinkRothke Patchlink
Rothke Patchlink
Ben Rothke
 
BUSINESS LAW REVIEW- 2022: Defending White Collar Crime-101
BUSINESS LAW REVIEW- 2022: Defending White Collar Crime-101BUSINESS LAW REVIEW- 2022: Defending White Collar Crime-101
BUSINESS LAW REVIEW- 2022: Defending White Collar Crime-101
Financial Poise
 
Chapter IntroductionDitty_about_summer Shutterstock.comLe
Chapter IntroductionDitty_about_summer Shutterstock.comLeChapter IntroductionDitty_about_summer Shutterstock.comLe
Chapter IntroductionDitty_about_summer Shutterstock.comLe
JinElias52
 
Social media and the hiring process
Social media and the hiring processSocial media and the hiring process
Social media and the hiring process
Dan Michaluk
 
Regulatory Nets vs the Fishing Hook of Litigation - BSides Las Vegas 2017
Regulatory Nets vs the Fishing Hook of Litigation - BSides Las Vegas 2017Regulatory Nets vs the Fishing Hook of Litigation - BSides Las Vegas 2017
Regulatory Nets vs the Fishing Hook of Litigation - BSides Las Vegas 2017
Wendy Knox Everette
 
Precarious professionalism 17 Sep 14 to Law Society
Precarious professionalism 17 Sep 14 to Law SocietyPrecarious professionalism 17 Sep 14 to Law Society
Precarious professionalism 17 Sep 14 to Law Society
Richard Moorhead
 
Speedy Programs Of Legal Background Check - A Background
Speedy Programs Of Legal Background Check - A BackgroundSpeedy Programs Of Legal Background Check - A Background
Speedy Programs Of Legal Background Check - A Background
cloudybanister911
 
Vital Details Of Legal Background Check - An Introduction
Vital Details Of Legal Background Check - An IntroductionVital Details Of Legal Background Check - An Introduction
Vital Details Of Legal Background Check - An Introduction
therapeuticboug70
 
Conducting Effective Workplace Investigations
Conducting Effective Workplace InvestigationsConducting Effective Workplace Investigations
Conducting Effective Workplace Investigations
Parsons Behle & Latimer
 
Selecting Successful Solutions Of Legal Background Check
Selecting Successful Solutions Of Legal Background CheckSelecting Successful Solutions Of Legal Background Check
Selecting Successful Solutions Of Legal Background Check
giannagonzalez766
 
Practical Programs Of Legal Background Check - Insights
Practical Programs Of Legal Background Check - InsightsPractical Programs Of Legal Background Check - Insights
Practical Programs Of Legal Background Check - Insights
narrowcluster2553
 
Clear-Cut Methods For Legal Background Search For 2012
Clear-Cut Methods For Legal Background Search For 2012Clear-Cut Methods For Legal Background Search For 2012
Clear-Cut Methods For Legal Background Search For 2012
acridcuff939
 
Whistle blowing
Whistle blowingWhistle blowing
Whistle blowing
Ofqual Slideshare
 

Similar to Dave Stampley - Reasonable Security - Security BSides NOLA 2015 (20)

How to Avoid Malpractice & Disciplinary Actions - General Do's and Don'ts (Se...
How to Avoid Malpractice & Disciplinary Actions - General Do's and Don'ts (Se...How to Avoid Malpractice & Disciplinary Actions - General Do's and Don'ts (Se...
How to Avoid Malpractice & Disciplinary Actions - General Do's and Don'ts (Se...
 
CII publishes new guide “Ethics for the digital age”
CII publishes new guide “Ethics for the digital age”CII publishes new guide “Ethics for the digital age”
CII publishes new guide “Ethics for the digital age”
 
Hiring Contract Security - Common Sense and Basic Guidelines for Hiring a Sec...
Hiring Contract Security - Common Sense and Basic Guidelines for Hiring a Sec...Hiring Contract Security - Common Sense and Basic Guidelines for Hiring a Sec...
Hiring Contract Security - Common Sense and Basic Guidelines for Hiring a Sec...
 
TFW LTE 1032 ANM Assignments Position Paper Detail Submission Grade .pdf
TFW LTE 1032 ANM Assignments Position Paper Detail Submission Grade .pdfTFW LTE 1032 ANM Assignments Position Paper Detail Submission Grade .pdf
TFW LTE 1032 ANM Assignments Position Paper Detail Submission Grade .pdf
 
Overall Comments Overall you made a nice start with your U02a1 .docx
Overall Comments Overall you made a nice start with your U02a1 .docxOverall Comments Overall you made a nice start with your U02a1 .docx
Overall Comments Overall you made a nice start with your U02a1 .docx
 
Internal Investigations - 101 (Series: Corporate & Regulatory Compliance Boot...
Internal Investigations - 101 (Series: Corporate & Regulatory Compliance Boot...Internal Investigations - 101 (Series: Corporate & Regulatory Compliance Boot...
Internal Investigations - 101 (Series: Corporate & Regulatory Compliance Boot...
 
FairLendingQ&Av10
FairLendingQ&Av10FairLendingQ&Av10
FairLendingQ&Av10
 
Rothke Patchlink
Rothke PatchlinkRothke Patchlink
Rothke Patchlink
 
BUSINESS LAW REVIEW- 2022: Defending White Collar Crime-101
BUSINESS LAW REVIEW- 2022: Defending White Collar Crime-101BUSINESS LAW REVIEW- 2022: Defending White Collar Crime-101
BUSINESS LAW REVIEW- 2022: Defending White Collar Crime-101
 
Chapter IntroductionDitty_about_summer Shutterstock.comLe
Chapter IntroductionDitty_about_summer Shutterstock.comLeChapter IntroductionDitty_about_summer Shutterstock.comLe
Chapter IntroductionDitty_about_summer Shutterstock.comLe
 
Social media and the hiring process
Social media and the hiring processSocial media and the hiring process
Social media and the hiring process
 
Regulatory Nets vs the Fishing Hook of Litigation - BSides Las Vegas 2017
Regulatory Nets vs the Fishing Hook of Litigation - BSides Las Vegas 2017Regulatory Nets vs the Fishing Hook of Litigation - BSides Las Vegas 2017
Regulatory Nets vs the Fishing Hook of Litigation - BSides Las Vegas 2017
 
Precarious professionalism 17 Sep 14 to Law Society
Precarious professionalism 17 Sep 14 to Law SocietyPrecarious professionalism 17 Sep 14 to Law Society
Precarious professionalism 17 Sep 14 to Law Society
 
Speedy Programs Of Legal Background Check - A Background
Speedy Programs Of Legal Background Check - A BackgroundSpeedy Programs Of Legal Background Check - A Background
Speedy Programs Of Legal Background Check - A Background
 
Vital Details Of Legal Background Check - An Introduction
Vital Details Of Legal Background Check - An IntroductionVital Details Of Legal Background Check - An Introduction
Vital Details Of Legal Background Check - An Introduction
 
Conducting Effective Workplace Investigations
Conducting Effective Workplace InvestigationsConducting Effective Workplace Investigations
Conducting Effective Workplace Investigations
 
Selecting Successful Solutions Of Legal Background Check
Selecting Successful Solutions Of Legal Background CheckSelecting Successful Solutions Of Legal Background Check
Selecting Successful Solutions Of Legal Background Check
 
Practical Programs Of Legal Background Check - Insights
Practical Programs Of Legal Background Check - InsightsPractical Programs Of Legal Background Check - Insights
Practical Programs Of Legal Background Check - Insights
 
Clear-Cut Methods For Legal Background Search For 2012
Clear-Cut Methods For Legal Background Search For 2012Clear-Cut Methods For Legal Background Search For 2012
Clear-Cut Methods For Legal Background Search For 2012
 
Whistle blowing
Whistle blowingWhistle blowing
Whistle blowing
 

Recently uploaded

Military Commissions details LtCol Thomas Jasper as Detailed Defense Counsel
Military Commissions details LtCol Thomas Jasper as Detailed Defense CounselMilitary Commissions details LtCol Thomas Jasper as Detailed Defense Counsel
Military Commissions details LtCol Thomas Jasper as Detailed Defense Counsel
Thomas (Tom) Jasper
 
Responsibilities of the office bearers while registering multi-state cooperat...
Responsibilities of the office bearers while registering multi-state cooperat...Responsibilities of the office bearers while registering multi-state cooperat...
Responsibilities of the office bearers while registering multi-state cooperat...
Finlaw Consultancy Pvt Ltd
 
WINDING UP of COMPANY, Modes of Dissolution
WINDING UP of COMPANY, Modes of DissolutionWINDING UP of COMPANY, Modes of Dissolution
WINDING UP of COMPANY, Modes of Dissolution
KHURRAMWALI
 
PRECEDENT AS A SOURCE OF LAW (SAIF JAVED).pptx
PRECEDENT AS A SOURCE OF LAW (SAIF JAVED).pptxPRECEDENT AS A SOURCE OF LAW (SAIF JAVED).pptx
PRECEDENT AS A SOURCE OF LAW (SAIF JAVED).pptx
OmGod1
 
Donald_J_Trump_katigoritirio_stormi_daniels.pdf
Donald_J_Trump_katigoritirio_stormi_daniels.pdfDonald_J_Trump_katigoritirio_stormi_daniels.pdf
Donald_J_Trump_katigoritirio_stormi_daniels.pdf
ssuser5750e1
 
Debt Mapping Camp bebas riba to know how much our debt
Debt Mapping Camp bebas riba to know how much our debtDebt Mapping Camp bebas riba to know how much our debt
Debt Mapping Camp bebas riba to know how much our debt
ssuser0576e4
 
RIGHTS OF VICTIM EDITED PRESENTATION(SAIF JAVED).pptx
RIGHTS OF VICTIM EDITED PRESENTATION(SAIF JAVED).pptxRIGHTS OF VICTIM EDITED PRESENTATION(SAIF JAVED).pptx
RIGHTS OF VICTIM EDITED PRESENTATION(SAIF JAVED).pptx
OmGod1
 
Agrarian Reform Policies in the Philippines: a quiz
Agrarian Reform Policies in the Philippines: a quizAgrarian Reform Policies in the Philippines: a quiz
Agrarian Reform Policies in the Philippines: a quiz
gaelcabigunda
 
VIETNAM - DIRECT POWER PURCHASE AGREEMENTS (DPPA) - Latest development - What...
VIETNAM - DIRECT POWER PURCHASE AGREEMENTS (DPPA) - Latest development - What...VIETNAM - DIRECT POWER PURCHASE AGREEMENTS (DPPA) - Latest development - What...
VIETNAM - DIRECT POWER PURCHASE AGREEMENTS (DPPA) - Latest development - What...
Dr. Oliver Massmann
 
1比1制作(swansea毕业证书)英国斯旺西大学毕业证学位证书托业成绩单原版一模一样
1比1制作(swansea毕业证书)英国斯旺西大学毕业证学位证书托业成绩单原版一模一样1比1制作(swansea毕业证书)英国斯旺西大学毕业证学位证书托业成绩单原版一模一样
1比1制作(swansea毕业证书)英国斯旺西大学毕业证学位证书托业成绩单原版一模一样
9ib5wiwt
 
Introducing New Government Regulation on Toll Road.pdf
Introducing New Government Regulation on Toll Road.pdfIntroducing New Government Regulation on Toll Road.pdf
Introducing New Government Regulation on Toll Road.pdf
AHRP Law Firm
 
办理(waikato毕业证书)新西兰怀卡托大学毕业证双学位证书原版一模一样
办理(waikato毕业证书)新西兰怀卡托大学毕业证双学位证书原版一模一样办理(waikato毕业证书)新西兰怀卡托大学毕业证双学位证书原版一模一样
办理(waikato毕业证书)新西兰怀卡托大学毕业证双学位证书原版一模一样
9ib5wiwt
 
怎么购买(massey毕业证书)新西兰梅西大学毕业证学位证书注册证明信原版一模一样
怎么购买(massey毕业证书)新西兰梅西大学毕业证学位证书注册证明信原版一模一样怎么购买(massey毕业证书)新西兰梅西大学毕业证学位证书注册证明信原版一模一样
怎么购买(massey毕业证书)新西兰梅西大学毕业证学位证书注册证明信原版一模一样
9ib5wiwt
 
ADR in criminal proceeding in Bangladesh with global perspective.
ADR in criminal proceeding in Bangladesh with global perspective.ADR in criminal proceeding in Bangladesh with global perspective.
ADR in criminal proceeding in Bangladesh with global perspective.
Daffodil International University
 
原版仿制(aut毕业证书)新西兰奥克兰理工大学毕业证文凭毕业证雅思成绩单原版一模一样
原版仿制(aut毕业证书)新西兰奥克兰理工大学毕业证文凭毕业证雅思成绩单原版一模一样原版仿制(aut毕业证书)新西兰奥克兰理工大学毕业证文凭毕业证雅思成绩单原版一模一样
原版仿制(aut毕业证书)新西兰奥克兰理工大学毕业证文凭毕业证雅思成绩单原版一模一样
9ib5wiwt
 
ALL EYES ON RAFAH BUT WHY Explain more.pdf
ALL EYES ON RAFAH BUT WHY Explain more.pdfALL EYES ON RAFAH BUT WHY Explain more.pdf
ALL EYES ON RAFAH BUT WHY Explain more.pdf
46adnanshahzad
 
Secure Your Brand: File a Trademark Today
Secure Your Brand: File a Trademark TodaySecure Your Brand: File a Trademark Today
Secure Your Brand: File a Trademark Today
Trademark Quick
 
Cold War - 1, talks about cold water bro
Cold War - 1, talks about cold water broCold War - 1, talks about cold water bro
Cold War - 1, talks about cold water bro
SidharthKashyap5
 
ASHWINI KUMAR UPADHYAY v/s Union of India.pptx
ASHWINI KUMAR UPADHYAY v/s Union of India.pptxASHWINI KUMAR UPADHYAY v/s Union of India.pptx
ASHWINI KUMAR UPADHYAY v/s Union of India.pptx
shweeta209
 
Law Commission Report. Commercial Court Act.
Law Commission Report. Commercial Court Act.Law Commission Report. Commercial Court Act.
Law Commission Report. Commercial Court Act.
Purushottam Jha
 

Recently uploaded (20)

Military Commissions details LtCol Thomas Jasper as Detailed Defense Counsel
Military Commissions details LtCol Thomas Jasper as Detailed Defense CounselMilitary Commissions details LtCol Thomas Jasper as Detailed Defense Counsel
Military Commissions details LtCol Thomas Jasper as Detailed Defense Counsel
 
Responsibilities of the office bearers while registering multi-state cooperat...
Responsibilities of the office bearers while registering multi-state cooperat...Responsibilities of the office bearers while registering multi-state cooperat...
Responsibilities of the office bearers while registering multi-state cooperat...
 
WINDING UP of COMPANY, Modes of Dissolution
WINDING UP of COMPANY, Modes of DissolutionWINDING UP of COMPANY, Modes of Dissolution
WINDING UP of COMPANY, Modes of Dissolution
 
PRECEDENT AS A SOURCE OF LAW (SAIF JAVED).pptx
PRECEDENT AS A SOURCE OF LAW (SAIF JAVED).pptxPRECEDENT AS A SOURCE OF LAW (SAIF JAVED).pptx
PRECEDENT AS A SOURCE OF LAW (SAIF JAVED).pptx
 
Donald_J_Trump_katigoritirio_stormi_daniels.pdf
Donald_J_Trump_katigoritirio_stormi_daniels.pdfDonald_J_Trump_katigoritirio_stormi_daniels.pdf
Donald_J_Trump_katigoritirio_stormi_daniels.pdf
 
Debt Mapping Camp bebas riba to know how much our debt
Debt Mapping Camp bebas riba to know how much our debtDebt Mapping Camp bebas riba to know how much our debt
Debt Mapping Camp bebas riba to know how much our debt
 
RIGHTS OF VICTIM EDITED PRESENTATION(SAIF JAVED).pptx
RIGHTS OF VICTIM EDITED PRESENTATION(SAIF JAVED).pptxRIGHTS OF VICTIM EDITED PRESENTATION(SAIF JAVED).pptx
RIGHTS OF VICTIM EDITED PRESENTATION(SAIF JAVED).pptx
 
Agrarian Reform Policies in the Philippines: a quiz
Agrarian Reform Policies in the Philippines: a quizAgrarian Reform Policies in the Philippines: a quiz
Agrarian Reform Policies in the Philippines: a quiz
 
VIETNAM - DIRECT POWER PURCHASE AGREEMENTS (DPPA) - Latest development - What...
VIETNAM - DIRECT POWER PURCHASE AGREEMENTS (DPPA) - Latest development - What...VIETNAM - DIRECT POWER PURCHASE AGREEMENTS (DPPA) - Latest development - What...
VIETNAM - DIRECT POWER PURCHASE AGREEMENTS (DPPA) - Latest development - What...
 
1比1制作(swansea毕业证书)英国斯旺西大学毕业证学位证书托业成绩单原版一模一样
1比1制作(swansea毕业证书)英国斯旺西大学毕业证学位证书托业成绩单原版一模一样1比1制作(swansea毕业证书)英国斯旺西大学毕业证学位证书托业成绩单原版一模一样
1比1制作(swansea毕业证书)英国斯旺西大学毕业证学位证书托业成绩单原版一模一样
 
Introducing New Government Regulation on Toll Road.pdf
Introducing New Government Regulation on Toll Road.pdfIntroducing New Government Regulation on Toll Road.pdf
Introducing New Government Regulation on Toll Road.pdf
 
办理(waikato毕业证书)新西兰怀卡托大学毕业证双学位证书原版一模一样
办理(waikato毕业证书)新西兰怀卡托大学毕业证双学位证书原版一模一样办理(waikato毕业证书)新西兰怀卡托大学毕业证双学位证书原版一模一样
办理(waikato毕业证书)新西兰怀卡托大学毕业证双学位证书原版一模一样
 
怎么购买(massey毕业证书)新西兰梅西大学毕业证学位证书注册证明信原版一模一样
怎么购买(massey毕业证书)新西兰梅西大学毕业证学位证书注册证明信原版一模一样怎么购买(massey毕业证书)新西兰梅西大学毕业证学位证书注册证明信原版一模一样
怎么购买(massey毕业证书)新西兰梅西大学毕业证学位证书注册证明信原版一模一样
 
ADR in criminal proceeding in Bangladesh with global perspective.
ADR in criminal proceeding in Bangladesh with global perspective.ADR in criminal proceeding in Bangladesh with global perspective.
ADR in criminal proceeding in Bangladesh with global perspective.
 
原版仿制(aut毕业证书)新西兰奥克兰理工大学毕业证文凭毕业证雅思成绩单原版一模一样
原版仿制(aut毕业证书)新西兰奥克兰理工大学毕业证文凭毕业证雅思成绩单原版一模一样原版仿制(aut毕业证书)新西兰奥克兰理工大学毕业证文凭毕业证雅思成绩单原版一模一样
原版仿制(aut毕业证书)新西兰奥克兰理工大学毕业证文凭毕业证雅思成绩单原版一模一样
 
ALL EYES ON RAFAH BUT WHY Explain more.pdf
ALL EYES ON RAFAH BUT WHY Explain more.pdfALL EYES ON RAFAH BUT WHY Explain more.pdf
ALL EYES ON RAFAH BUT WHY Explain more.pdf
 
Secure Your Brand: File a Trademark Today
Secure Your Brand: File a Trademark TodaySecure Your Brand: File a Trademark Today
Secure Your Brand: File a Trademark Today
 
Cold War - 1, talks about cold water bro
Cold War - 1, talks about cold water broCold War - 1, talks about cold water bro
Cold War - 1, talks about cold water bro
 
ASHWINI KUMAR UPADHYAY v/s Union of India.pptx
ASHWINI KUMAR UPADHYAY v/s Union of India.pptxASHWINI KUMAR UPADHYAY v/s Union of India.pptx
ASHWINI KUMAR UPADHYAY v/s Union of India.pptx
 
Law Commission Report. Commercial Court Act.
Law Commission Report. Commercial Court Act.Law Commission Report. Commercial Court Act.
Law Commission Report. Commercial Court Act.
 

Dave Stampley - Reasonable Security - Security BSides NOLA 2015

  • 1.       Bio: David A. Stampley, CIPP, is a partner at KamberLaw in New York. He has specialized in data privacy and security compliance for over 15 years. Currently, he litigates information- technology-related class actions. His prior roles include regulatory enforcement (New York Attorney General’s Office), privacy officer (a Fortune1000 B2B technology provider), and consultant and general counsel (Neohapsis). He started his legal career as an Assistant District Attorney in the Manhattan D.A.’s Office. Preview of conclusion: In every role I’ve had in the practice of privacy/security law, I’ve advocated for what should be considered reasonable or unreasonable by my client, or should have been considered reasonable or unreasonable by the other party in a court case. • I started the same place discussed today—the laws, regulations, and cases—and the rule of reasonableness. • And then I looked at what rules there were in security literature—standards organizations, textbooks, vendor documentation. • But, inevitably, I started calling people—I/S professionals, and asked them what they considered good/bad, acceptable/unacceptable; why; and how they draw the line. I asked them what they observed in practice and wwhat they saw their peers in other organizations doing. I asked how they would back up their positions if challenged. That’s what I did, before advising upper management when I was in-house, or taking a position in court—I asked the kind of people in this this room, because the answer is already there. If a court then made a decision, that doesn’t mean a particular practice suddenly became reasonable or unreasonable. It means it already was.
  • 2.             2014 topic was “Who defines ‘reasonable security’? – Lessons from courts and regulators. Some key takeaways: • Wyndham case: FTC exercise of unfairness jurisdiction. Wyndham said it wasn’t on notice of unreasonableness. • Target case: CEOs affected? Maybe, but not through the courts. Security vendors on the hook? Not likely to be a major trend yet. • Why is “reasonable security” not more defined in enforcement actions/cases? • Regulatory constraints and prosecutorial discretion: awareness, resources & priorities, provability, litigation risk • Class action constraints: consumer awareness, standing, certifiability, resources, provability, litigation risk & cost (long duration of litigation on contingency) • Result: Many security failures go unaddressed. 2014 session emphasized definition of “reasonable security” after the question was put to the test in enforcement and court actions. But if regulators and courts haven’t yet answered the question, how do I/S professionals determine what’s reasonable? Would it really help if the government came up with an answer?
  • 3.         Assumptions about target audience for this presentation: • I/S professionals are trying to do their jobs. However, I/S is often viewed as a cost center. Communicating needs & getting budget $ for security can be a struggle. But regardless of who makes the go/nogo decision on security measures, if there’s a security failure, I/S is likely to be a target for blame. • Many I/S professionals believe clearer rules about what is “reasonable” would support their mission. So who defines “reasonable security”? In this 2015 session, the answer is the same as last year —if I/S professionals want a workable definition, it’s incumbent on the I/S community to come up with it, since it has the expertise. • Last year I advocated for security experts and thought leaders to coalesce & be heard. • This year, we’ll work toward the answer from a different angle--the front line. That’s where the definition of reasonable security happens. 3
  • 4.       Our starting point is the same as last year—the dictionary definition of “reasonable.” • What is considered reasonable may vary with circumstances. If that’s the case, you can’t expect regulators or courts to define it for every circumstance. Instead, regulations tend to be general and follow this definition. See, e.g., GLBA Safeguards Rules • You might be thinking, “That’s no help.” But the expectation is that an organization, informed by I/S professionals, can figure it out. If “reasonable” care is “ordinary” care, what is “ordinary”? It’s a level of care that any “competent [I/S professional] engaged in the same line of business would exercise under similar circumstances.” • What does that tell you? Under the law, the idea isn’t that someone is playing hide the ball, not telling you the rule, and later playing gotcha. The expectation is that you already know what you need to know to figure it out. [Refer back to FTC & class action case lists. Would you need a specific rule to tell you...?]
  • 5.     [Recap FTC jurisdiction] • Prohibits unfair or deceptive acts or practices (may include omission). [Recap Wyndham, LabMD discussion from last year—”we didn’t know the standards”; current status] • Some argue that the FTC’s current authority isn’t enough to bring actions against companies for data breaches, espec. under unfairness jurisdiction.
  • 6.             Would you need a more specific legal rule to tell you whether the alleged practices are sub- standard and unreasonable? [Discuss Verizon: • FTC closing letters • Value of prompt mitigation and cooperative response to regulatory inquiry. • Recap from 2014: Recognition of enforcement body’s need to prioritize spending taxpayer dollars.] [Recap 2014 discussion. FTC and state AGs don’t--and can’t—bring enforcement actions for every security failure. • Jurisdiction (Wyndham challenge to FTC unfairness jurisdiction). • Enforcement priorities discussed previously. • Non-transparency—not every failure can be seen, so consumers and other businesses bear the costs.]
  • 7.                 Would you need a more specific legal rule to tell you the whether alleged practices are sub- standard and unreasonable? [Recap 2014 discussion of barriers to relief in class action: Non-transparency: consumers may not know to bring cases because may not know who harmed them, or even that they were harmed. Litigation risks, winnows down likelihood of relief: Cases handled on contingency, long duration, multiple motions to dismiss, availability of competent experts, costly expert discovery, technical sophistication of courts Jurisdictions requiring plaintiff reliance on specific misrepresentations. Certifiability of class. Standing.] Target: Last year, discussion in I/S community of whether security vendors like Trustwave would be held liable for breaches. Not major trend so far. Garvey v. Hulu: Appeal issue of VPPA knowledge element. Did Hulu know what was sent to Facebook through Hulu’s implementation of Like button. Target, Yahoo, Spokeo: Biggest issue = standing • • • • • • • • 7
  • 8. One rule is—don’t rely on predictions. Another is don’t hold your breath waiting for enforcers and courts to make the rules. Will there be a next wave, focused on data breaches? Maybe. But just remember that lawyers and reporters may be prone to making attention-getting predictions. There’s already a history of private litigation in response to data breaches.
  • 9. Returning to definition of “reasonable”--a key takeaway is, you don’t have to wait for someone else to make rules because “everybody knows that.” [2014 analogy: It doesn’t take a written rule to tell you to get the kids’ soccer team inside when you see a thunderstorm.] [Refer back to Black’s definition of reasonable & case overviews.]
  • 10.     Many states have “baby UDAP” statutes. NY GBL § 349 provides useful angle in determining what is reasonable—the reasonable consumer. • Organization can’t count on defense of “good heart, empty head.” Did company promise reasonable security and fail to deliver? [Recap Wyndham discussion from last year—”we didn’t know the standards”; current status] “Website Security Flaw Costs ZD,” Brian McWilliams, Wired, Aug. 28, 2002 (regarding N.Y. Attorney General settlement with Ziff Davis Media for online exposure of subscriber information database): In a statement, New York-based Ziff Davis said Wednesday that it had not broken any laws, and the company termed the incident “a one-time online security violation ... caused by a coding error.” Stampley said he was "surprised and disappointed" at Ziff Davis' characterization of the facts of the case. "Acts such as failing to use SSL encryption and disabling Web server logging indicate an ongoing failure to follow standard security practices.” • Requires thinking ahead and considering consequences. Not just a question of does system do what we want, but whether someone else can use it in unwanted way.
  • 11.         FTC’s safeguards rule under the GLBA useful in understanding that: • reasonable security isn’t one-size-fits-all—what is reasonable depends on the organization • the organization is expected to be able to figure it out. Many I/S professionals have been challenged within their organizations to “show me where the law says we have to do that.” The reasonableness standards under federal and state laws and regulations are where. Takeaways: • I/S professionals don’t have to become lawyers to determine position on reasonable security. • I/S professionals do need to inform other actors in the organization, so reasonably foreseeable risks can be evaluated in context.
  • 12.               Good to be aware, but understand that lobbying positions aren’t rules or predictions I/S can count on or a reason for inaction. Plus, there may be strategic and tactical reasons for those positions that aren’t apparent. • If there is a compliance “minefield,” why? Specific examples? How much of it consists of pre-existing laws? How different are the laws? Do consumers face any minefield of their own? Are they hurt/helped by a compliance minefield? Who bears costs of security compliance & failure? • Would “one, consistent federal standard” that trumps everything else give I/S desirable rules? (Refer back to laws/cases). From a consumer advocate’s perspective, these would be potential effects of “one standard”: • weak standard that trumps better laws and further diminishes opportunities for healthy enforcement (refer back to constraints on regulatory enforcement and class actions) • continues to shift the burden of losses to consumers • puts organizations that want to do the right thing at a competitive disadvantage • disincentivizes development of a more trustworthy and robust marketplace—what looks like benefit to shareholder value is long-run loss of opportunity to maximize • and still won’t give I/S rules that are specific to the circumstances of the organization. There may be very good bases for some policy arguments—but they are still just arguments. For I/S, don’t drink the Kool-Aid. Your organization needs you to have a clear head and be able to communicative objectively to those in organization who rely on I/S’s advice.
  • 13.     Plus, I/S can’t count on the outcome of policy and legal arguments. • [Example of Hulu defense that VPPA didn’t apply to streaming video] • From 14 years ago—”Internet Privacy; Enforcement Actions,” David Medine and Christine Varney, National Law Journal, Aug. 6, 2001: “The FTC has treated Web site privacy policies as ‘representations,’ subjecting them to scrutiny under the act, thus transforming a decades-old consumer protection law into a comprehensive, modern privacy statute.” Perhaps the authors weren’t saying that the law was stale and shouldn’t apply to website privacy policies—but “transforming a decades old law” is a debatable characterization. The law was there and applied to commerce. Commerce moved online. The law was applied where commerce was taking place. Deploying a new technology application doesn’t put the application beyond the reach of laws. Remember examples from NY § 349 and FTC Safeguards Rule language: reasonably foreseeable. 3
  • 14.     Bottom line: Don’t wait for someone else to tell you what the rule is. • Even if more rules are needed, even if you agree that federal standards should be established that trump other laws: there are rules already, they need to be followed, and I/S has a duty to take a leading role in defining what compliance with those rules looks like. • If policymakers devise new data security rules without meaningful I/S input, they won’t be good rules. Regardless of how rules evolve, or whether upper management is held accountable for failures, failures puts I/S professionals at risk, so you’d better speak up. [Discussion: Average CIO lifespan; I/S taking blame for breaches.]
  • 15.       • But, when you speak up, or if you are in a consultative role to other I/S professionals, be mindful: If the question is “Is it reasonable,” responding with “That won’t work” isn’t a useful answer. Some I/S professionals dismiss technologies/approaches by saying “That won’t work,” when what they really mean is, “It leaves some problems unsolved” or “It can be exploited.” Does it solve some of the problem—how much? Is it a starting place? Is there a better option? Other pitfalls: • Saying that the sky is falling, and saying it often. The sky is usually not falling. Some I/S professionals treat security issues as crises when they are not, or fail to distinguish among levels of seriousness. Sometimes internal clients do this—not necessarily motivated by security. • Failure to document compliance efforts. [Refer back to Safeguards Rule.] Thinking about what’s reasonable, planning for it, documenting decisions shows attention to the issues. It’s not only an important part of maintaining institutional memory and continuity, it can validate the reasonableness of efforts, even if failure occurs. [Refer back to GLBA Safeguards Rule—documented program.]
  • 16.       • Don’t pre-judge compliance failure. Based on my experience, some employees (out of vigilance or even internal jockeying) raise security issues with e-mails to too many recipients saying “We’re non-compliant.” Sometimes it’s I/S, or other employees referring to I/S issues. • “We’re non-compliant” is not documenting compliance effort. It’s probably a legal conclusion that should be left to lawyers to make. • It may be the wrong conclusion. There may be mitigating factors. But what the e- mail does is create a record that can be used as evidence against the organization, even if the conclusion is incorrect. (That may be one of several reasons that your lawyers may ask I/S to direct compliance concerns to them.) Part of incident response should include how to communicate about potential issues that require attention [Refer back to Safeguards Rule.] Remember that, while I/S should be defining reasonable security from the I/S perspective, defining what that looks like for the organization involves others in the organization.
  • 17.       Think back to cases discussed—was unreasonableness obvious? If what’s reasonable seems hard ot pinpoint, start by defining what is out of bounds. Rely on your expertise to define a starting point for what’s reasonable, as input to organizational determination. Back yourself up—if you believe certain practices are reasonable/unreasonable, there’s a reason why. What is industry practice? Get input from colleagues in other organizations who are “prudent and competent person[s] engaged in the same line of business or endeavor” facing “similar circumstances.” Refer to I/S organization publications. I often hear I/S professionals say “there’s no proof” of what’s reasonable. Your word is a form of proof. You don’t get a guarantee of absolute proof, but your credibility is evidence, and if you back up your position, it’s even stronger evidence. Then you’re ready to talk to your lawyer with information your lawyer needs, instead of just asking what the rule is. Just as with some I/S professionals, some lawyers have a highly risk-averse “that won’t work” approach, but at least you’ll be in a position to give your lawyers information they need. 7 • • •
  • 18.     [Discussion: What do you do if you believe there’s a compliance failure and no one listens? Steps to protect yourself... ethical/moral issues.] • The actions of I/S professionals matter in people’s lives. Right now, ask yourself: At one point might it be necessary to sound an alarm and maybe put your job at risk —or to walk away? What would make it hard to look yourself in the mirror in the morning? What are the reasonably foreseeable risks? These are hard questions that sound dramatic, but those kinds of challenges can come up, and when they do, they are dramatic. Ask yourself now, because these questions may be harder to answer when you’re in the middle of a situation in which the answers might matter. • By asking yourself those questions—about where the line is between reasonable and unreasonable—you may gain clarity that will help in communicating the more everyday answers about what reasonable security looks like. “Success is never final and failure never fatal. It’s courage that counts.” — Attributed to George F. Tilton
  • 19.   [Discussion--being heard: Comment period for regulations and standards.] • Process is critical. It’s not just what you do, but how you do it, as a team, redundantly.
  • 20. !       Preview of conclusion: In every role I’ve had in the practice of privacy/security law, I’ve advocated for what should be considered reasonable or unreasonable by my client, or should have been considered reasonable or unreasonable by the other party in a court case. ! • I started the same place discussed today—the laws, regulations, and cases—and the rule of reasonableness.! • And then I looked at what rules there were in security literature—standards organizations, textbooks, vendor documentation.! • But, inevitably, I started calling people—I/S professionals, and asked them what they considered good/bad, acceptable/unacceptable; why; and how they draw the line. I asked them what they observed in practice and wwhat they saw their peers in other organizations doing. I asked how they would back up their positions if challenged.! That’s what I did, before advising upper management when I was in-house, or taking a position in court—I asked the kind of people in this this room, because the answer is already there. If a court then made a decision, that doesn’t mean a particular practice suddenly became reasonable or unreasonable. It means it already was.! What reasonable security looks like down the road is for you to decide—maybe not alone— but the security expertise is yoursThe rest of us are relying—reasonably so--on I/S professionals, individually, and the I/S community, collectively, to tell us. ! 20