Slides from a webinar presented by Capitol Technology University on April 18, 2024. Features a presentation given by Dr. Ilia Kolochenko and Cyber Law, Cybercrime Investigations and Response.
Slides CapTechTalks Webinar April 2024 Ilia Kolochenko.pptx
1. Presented by Dr. Ilia Kolochenko
April 18, 2024
Cyber Law,
Cybercrime Investigations
and Response
2. Agenda
Bill Gibbs, Host
1. About Capitol Technology University
2. Session Pointers
3. About the Presenter
4. Presentation
5. Q and A
6. Upcoming Webinars
7. Recording, Slides, Certificate
3. About
Established in 1927, we are one
of the few private Universities in
the U.S. specifically dedicated to
STEM-Based
academic programs. The
University offers degrees at the
Associate, Bachelor, Master, and
Doctoral levels
3
4. Nonprofit, Private &
Accredited
Capitol is a nonprofit, private accredited university
located in Laurel, Maryland, USA
Capitol Technology University is
accredited by the Commission on
Higher Education of the Middle
States Association of Colleges and
Schools
The University is authorized by the
State of Maryland to confer
Associate’s (A.A.S.), Bachelor’s (B.S.),
Master’s (M.S., M.B.A., M.Ed, M.Res.,
T.M.B.A, M.Phil.), and Doctoral (D.Sc.,
Ph.D., D.B.A., Ed.D.) degrees.
5. Session Pointers
• We will answer questions at the conclusion of the presentation. At any time, you
can post a question in the text chat and we will answer as many as we can.
• Microphones and webcams are not activated for participants.
• A link to the recording and to the slides will be sent to all registrants and available
on our webinar web page.
• A participation certificate is available by request for both Live Session and On
Demand viewers.
6. Dr. Ilia Kolochenko
• Adjunct Prof. of Cybersecurity/Cyber Law for Capitol
• 15+ years experience in cyber, information security
auditing and cybercrime investigation
• Lawyer, Partner and Cybersecurity Practice Lead at
Platt Law LLP. Admitted to Washington DC Bar
• Chief Architect and CEO of ImmuniWeb
• BS in Computer Science and Mathematics (Webster U.)
• MS in Criminal Justice (Boston U.) MLS (Washington
U.), LLM in Technology Law (U. of Edinburgh)
• Ph.D. in Computer Science (Capitol Technology U.)
7. Presented by Dr. Ilia Kolochenko
April 18, 2024
Cyber Law,
Cybercrime Investigations
and Response
8. About the Speaker
Ilia Kolochenko, Ph.D.
• Chief Architect & CEO at ImmuniWeb
• Partner & Cybersecurity Practice Lead at Platt Law LLP
• Continuous Legal Education (CLE) Faculty Member at the D.C. Bar
• Adjunct Professor of Cybersecurity Practice & Cyber Law at Capitol Technology University
• Member of Europol EDEN, INTERPOL DFEG, SANS CISO Network, IAPP Board of Appeals
• CIPP/A, CIPP/C, CIPP/E, CIPP/US, CIPT, CIPM, FIP certified by IAPP
• GLEG, GMOB, GCPN, GPCS, GCSA, GCTI, GDAT certified by GIAC
9. Disclaimer
No Legal Advice or Attorney-Client Relationship
This presentation and all related materials (hereinafter “information”) are provided “as is”
without any warranty of any kind for general informational purposes only. The information
does not, and is not intended to, constitute legal advice. Nothing herein is intended to, and
shall not, create an attorney-client relationship.
10. Countries with Data Protection,
Privacy or Cybersecurity Laws
From 137 countries in 2021 to over 170 in 2024
11. US State Privacy Law Tracker by IAPP
Complex patchwork of state privacy legislation
12. Modern Stack of Data Protection
Laws and Regulations
• Supranational Laws and Regulations (e.g. EU GDPR, NIS 2 Directive, DORA, AI Act)
• National Laws and Regulations (e.g. Swiss nFADP, Brazilian LGPD, Singaporean PDPA)
- State law (e.g. New York SHIELD Act, California CCPA/CPRA, Illinois BIPA)
- Federal law (e.g. US HIPAA, FISMA, FTC Act)
- Administrative rules (e.g. US SEC Rules on Cybersecurity, FTC Safeguards Rule)
- Executive orders (e.g. EO on Improving the Nation’s Cybersecurity)
• Guidelines Incorporated into National Law (e.g. US NIST SP 800-Series, FIPPs)
• Mandatory Governmental Frameworks and Standards (e.g. US DFARS, upcoming CMMC 2.0)
• Mandatory Private Frameworks and Standards (e.g. PCI DSS, Swift CSCF)
• Voluntary Private Frameworks and Standards (e.g. ISO 27001, SOC 2)
May apply simultaneously, vertically or horizontally
13. Why Does It Matter?
1. Didi Global: $1.19 billion
2. Amazon: $877 million
3. Equifax: $575 Million
4. Instagram: $403 million
5. TikTok: $370 million
6. T-Mobile: $350 million
7. Meta (Facebook): $277 million
8. WhatsApp: $255 million
9. Home Depot: $200 million
10. Capital One: $190 million
Top 10 Regulatory
Fines, Penalties and
Settlements in 2023
Statistics by CSO Online, Michael Hill (UK Editor)
Non-compliance costs and penalties are soaring
14. Why Does It Matter? Continued
Cybersecurity professionals become personally liable
15. EU NIS 2 Directive Example
Article 21 (“Cybersecurity risk-management measures”) Section 2:
a) policies on risk analysis and information system security;
b) incident handling;
c) business continuity, such as backup management and disaster recovery, and crisis management;
d) supply chain security, including security-related aspects concerning the relationships between each
entity and its direct suppliers or service providers;
e) security in network and information systems acquisition, development and maintenance, including
vulnerability handling and disclosure;
f) policies and procedures to assess the effectiveness of cybersecurity risk-management measures;
g) basic cyber hygiene practices and cybersecurity training;
h) policies and procedures regarding the use of cryptography and, where appropriate, encryption;
i) human resources security, access control policies and asset management;
j) the use of multi-factor authentication or continuous authentication solutions, secured voice, video
and text communications.
Strategy. Processes. Evidence.
16. NY DFS Cybersecurity Regulation Example
• Section 500.2 (“Cybersecurity Program”)
(a) Cybersecurity Program. Each Covered Entity shall maintain a cybersecurity program designed to protect […] the Covered
Entity’s Information Systems, (b)The cybersecurity program shall be based on the Covered Entity’s Risk Assessment
• Section 500.3 (“Cybersecurity Policy”)
Each Covered Entity shall implement and maintain a written policy or policies approved by […] board of directors […] setting forth
the Covered Entity’s policies and procedures for the protection of its Information Systems
• Section 500.5 (“Penetration Testing and Vulnerability Assessments”)
• Section 500.6 (“Audit Trail”)
• Section 500.10 (“Cybersecurity Personnel and Intelligence”)
• Section 500.11 (“Third Party Service Provider Security Policy”)
• Section 500.16 (“Incident Response Plan”)
Strategy. Processes. Evidence.
17. PCI DSS 4.0 Example
Strategy. Processes. Evidence.
18. Data Breach Disclosures and Notifications
• Not every security incident is a data breach
• Not every data breach is a reportable data breach
• Consider regulatory requirements to report (NB: not just data protection legislation)
• Consider contractual duties to report both security incidents and data breaches
• Consider ethical duties to disclose security incidents: transparency matters
• Prepare your media and stakeholders communication plan beforehand
• Coordinate everything with your legal team and specialized law firm
Over-disclosure and under-disclosure are both harmful
19. Investigating and Responding to Incidents
• Implement and regularly review an Incident Response (IR) plan with clearly defined roles,
responsibilities, procedures and processes to follow
• Consider hiring an external law firm to lead IR after a data breach to protect forensic reports and other
evidence from compelled disclosure in court
• Review your digital evidence collection procedure with lawyers to ensure that evidence and artifacts
collection procedures are legally sound and the obtained evidence is admissible in court
• Review your corporate data (especially regulated data) and log retention policies, monitoring of
employees and their use of corporate equipment with lawyers to ensure compliance with law
• Establish a point of contact with local and federal law enforcement agencies to report serious
incidents, consider joining your industry ISAC to share threat intelligence
Multidisciplinary approach is essential for success
20. Cybersecurity Insurance Best Practices for 2024
• Define and crystalize terminology used in your insurance contract
• Pay special attention to and clarify your own duties and obligations
• Ensure that you retain control over the DFIR and interrelated tasks
• Review insurance cap on direct, incidental and consequential damages
• Consider clauses that may be unlawful in your country like paying ransom
• Scrutinize exclusions and exceptions in your insurance contract
• Agree on possible coverage penalties after an incident happens
The devil is in the details. Talk to a Lawyer.
21. Thank you for your attention
Questions & Answers
Session
For updates on cyber law, follow my LinkedIn:
www.linkedin.com/in/kolochenko
24. Capitol offers 20 regionally
accredited degrees from the
Associate to Doctoral levels
related to this webinar. For more
information about degrees and
certificates offer in Cybersecurity,
visit
CapTechU.edu.fields-of-study
Join us for Master’s and Doctoral
Virtual Information Sessions. Held
monthly. To learn more:
Email: gradadmit@captechu.edu •
Phone: 1- 800-950-1992