Shawn Tuma, profile picture
Uploaded byShawn Tuma
PDF, PPTX349 views

The Legal Case for Cybersecurity

The document emphasizes that cybersecurity is a critical business risk that extends beyond IT, necessitating legal compliance with various regulations like GDPR and HIPAA. It outlines common vulnerabilities and preventative best practices including risk assessments, employee training, and incident response plans to safeguard companies against cyber threats. It also discusses the importance of maintaining a comprehensive cybersecurity program tailored to the specific needs and risks of the organization.

Embed presentation

Download as PDF, PPTX
Shawn E. Tuma | Scheef & Stone, LLP Cybersecurity & Data Privacy Attorney 214.472.2135 | Shawn.tuma@solidcounsel.com THE LEGAL CASE FOR CYBERSECURITY @shawnetuma BusinessCyberRisk.com
Cybersecurity A Legal Issue?
www.solidcounsel.com Shawn Tuma (214) 472-2135 Shawn.Tuma@solidcounsel.com www.shawnetuma.com @shawnetuma “Security and IT protect companies’ data; Legal protects companies from their data.”
www.solidcounsel.com Shawn Tuma (214) 472-2135 Shawn.Tuma@solidcounsel.com www.shawnetuma.com @shawnetuma “Cybersecurity is no longer just an IT issue—it is an overall business risk issue.”
Legal Obligations. Easily preventable • 90% in 2014 • 91% in 2015 ▪ International Laws ▪ Safe Harbor ▪ Privacy Shield ▪ GDPR ▪ Federal Laws & Regs. ▪ HIPAA, GLBA, FERPA ▪ FTC, FCC, SEC ▪ State Laws ▪ 48 states (AL & SD) ▪ NYDFS & Colorado FinServ ▪ Industry Groups ▪ PCI, FINRA, etc. ▪ Contracts ▪ 3rd Party Bus. Assoc. ▪ Data Security Addendum
The real-world threats are not so sophisticated. Easily preventable • 90% in 2014 • 91% in 2015 • 63% confirmed breaches from weak, default, or stolen passwords • Data is lost over 100x more than stolen • Phishing used most to install malware Easily Avoidable Breaches 90% in 2014 91% in 2015 91% in 2016 (90% from email)
Common Cybersecurity Best Practices 1. Risk assessment. 2. Policies and procedures focused on cybersecurity. • Social engineering, password, security questions 3. Training of all workforce. 4. Phish all workforce (esp. leadership). 5. Signature based antivirus and malware detection. 6. Access controls. 7. Security updates and patch management. 8. Multi-factor authentication. 9. Backups segmented offline and redundant. 10. No outdated or unsupported software. 11. Incident response plan. 12. Encrypt sensitive and air-gap hypersensitive data. 13. Adequate logging and retention. 14. Third-party security risk assessment & management. 15. Intrusion detection and intrusion prevention systems.
Does your company have reasonable cybersecurity? In re Target Data Security Breach Litigation, (Financial Institutions) (Dec. 2, 2014) F.T.C. v. Wyndham Worldwide Corp., 799 F.3d 236 (3rd Cir. Aug. 24, 2015). 1. Risk assessment. 2. Policies and procedures focused on cybersecurity. • Social engineering, password, security questions 3. Training of all workforce. 4. Phish all workforce (esp. leadership). 5. Signature based antivirus and malware detection. 6. Access controls. 7. Security updates and patch management. 8. Multi-factor authentication. 9. Backups segmented offline and redundant. 10. No outdated or unsupported software. 11. Incident response plan. 12. Encrypt sensitive and air-gap hypersensitive data. 13. Adequate logging and retention. 14. Third-party security risk assessment & management. 15. Intrusion detection and intrusion prevention systems.
Does your company have adequate internal network controls? FTC v. LabMD, (July 2016 FTC Commission Order) 1. Risk assessment. 2. Policies and procedures focused on cybersecurity. • Social engineering, password, security questions 3. Training of all workforce. 4. Phish all workforce (esp. leadership). 5. Signature based antivirus and malware detection. 6. Access controls. 7. Security updates and patch management. 8. Multi-factor authentication. 9. Backups segmented offline and redundant. 10. No outdated or unsupported software. 11. Incident response plan. 12. Encrypt sensitive and air-gap hypersensitive data. 13. Adequate logging and retention. 14. Third-party security risk assessment & management. 15. Intrusion detection and intrusion prevention systems.
Does your company have written policies and procedures focused on cybersecurity? SEC v. R.T. Jones Capital Equities Mgt., Consent Order (Sept. 22, 2015) 1. Risk assessment. 2. Policies and procedures focused on cybersecurity. • Social engineering, password, security questions 3. Training of all workforce. 4. Phish all workforce (esp. leadership). 5. Signature based antivirus and malware detection. 6. Access controls. 7. Security updates and patch management. 8. Multi-factor authentication. 9. Backups segmented offline and redundant. 10. No outdated or unsupported software. 11. Incident response plan. 12. Encrypt sensitive and air-gap hypersensitive data. 13. Adequate logging and retention. 14. Third-party security risk assessment & management. 15. Intrusion detection and intrusion prevention systems.
Does your company have a written cybersecurity incident response plan? SEC v. R.T. Jones Capital Equities Mgt., Consent Order (Sept. 22, 2015) 1. Risk assessment. 2. Policies and procedures focused on cybersecurity. • Social engineering, password, security questions 3. Training of all workforce. 4. Phish all workforce (esp. leadership). 5. Signature based antivirus and malware detection. 6. Access controls. 7. Security updates and patch management. 8. Multi-factor authentication. 9. Backups segmented offline and redundant. 10. No outdated or unsupported software. 11. Incident response plan. 12. Encrypt sensitive and air-gap hypersensitive data. 13. Adequate logging and retention. 14. Third-party security risk assessment & management. 15. Intrusion detection and intrusion prevention systems.
Does your company manage third- party cyber risk? In re GMR Transcription Svcs, Inc., Consent Order (August 14, 2014). 1. Risk assessment. 2. Policies and procedures focused on cybersecurity. • Social engineering, password, security questions 3. Training of all workforce. 4. Phish all workforce (esp. leadership). 5. Signature based antivirus and malware detection. 6. Access controls. 7. Security updates and patch management. 8. Multi-factor authentication. 9. Backups segmented offline and redundant. 10. No outdated or unsupported software. 11. Incident response plan. 12. Encrypt sensitive and air-gap hypersensitive data. 13. Adequate logging and retention. 14. Third-party security risk assessment & management. 15. Intrusion detection and intrusion prevention systems.
How mature is your company’s cyber risk management program? In re GMR Transcription Svcs, Inc., Consent Order (August 14, 2014). “GMR Transcription Services, Inc. . . . Shall . . . establish and implement, and thereafter maintain, a comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers. Such program, the content and implementation of which must be fully documented in writing, shall contain administrative, technical, and physical safeguards appropriate to respondents’ or the business entity’s size and complexity, the nature and scope of respondents’ or the business entity’s activities, and the sensitivity of the personal information collected from or about consumers”
www.solidcounsel.com New York Department of Financial Services Cybersecurity (NYDFS) Requirements for Financial Services Companies + [fill in] • All NY “financial institutions” + third party service providers. • Third party service providers – examine, obligate, audit. • Establish Cybersecurity Program (w/ specifics): • Logging, Data Classification, IDS, IPS; • Pen Testing, Vulnerability Assessments, Risk Assessment; and • Encryption, Access Controls. • Adopt Cybersecurity Policies. • Designate qualified CISO to be responsible. • Adequate cybersecurity personnel and intelligence. • Personnel Policies & Procedures, Training, Written IRP. • Chairman or Senior Officer Certify Compliance.
EU – General Data Protection Regulation (GDPR) • Goal: Protect all EU citizens from privacy and data breaches. • When: May 25, 2018. • Reach: Applies to all companies (controllers and processors): • Processing data of EU residents (regardless of where processing), • In the EU (regardless of where processing), or • Offering goods or services to EU citizens or monitoring behavior in EU. • Penalties: up to 4% global turnover or €20 Million (whichever is greater). • Remedies: data subjects have judicial remedies, right to damages. • Data subject rights: • Breach notification – 72 hrs to DPA; “without undue delay” to data subjects. • Right to access – provide confirmation of processing and electronic copy (free). • Data erasure – right to be forgotten, erase, cease dissemination or processing. • Data portability – receive previously provided data in common elect. format. • Privacy by design – include data protection from the onset of designing systems.
www.solidcounsel.com Cyber Risk Assessment Strategic Planning Deploy Defense Assets Develop, Implement &Train on P&P Tabletop Testing Reassess & Refine How mature is your company’s Cybersecurity Risk Management Program?
Cyber Risk Management Program @shawnetuma BusinessCyberRisk.com
Cyber Risk Management Program @shawnetuma BusinessCyberRisk.com
Cyber Insurance
Cyber Insurance – Key Questions • Do you know if you even have it? • What period does the policy cover? • Are Officers & Directors Covered? • Cover 3rd Party Caused Events? • Social Engineering coverage? • Cover insiders intentional acts (vs. negligent)? • Is contractual liability covered? • What is the triggering event? • What types of data are covered? • What kind of incidents are covered? • Acts of war? Terrorism? • Required carrier list for attorneys & experts? • Other similar risks?
www.solidcounsel.com “You don’t drown by falling in the water; You drown by staying there.” – Edwin Louis Cole
• Board of Directors & General Counsel, Cyber Future Foundation • Board of Advisors, NorthTexas Cyber Forensics Lab • Policy Council, NationalTechnology Security Coalition • CybersecurityTask Force, IntelligentTransportation Society ofAmerica • Cybersecurity & Data Privacy LawTrailblazers, National Law Journal (2016) • SuperLawyersTop 100 Lawyers in Dallas (2016) • SuperLawyers 2015-16 (IP Litigation) • Best Lawyers in Dallas 2014-16, D Magazine (Digital Information Law) • Council, Computer &Technology Section, State Bar ofTexas • Privacy and Data Security Committee of the State Bar ofTexas • College of the State Bar ofTexas • Board of Directors, Collin County Bench Bar Conference • Past Chair, Civil Litigation & Appellate Section, Collin County Bar Association • Information Security Committee of the Section on Science &Technology Committee of the American Bar Association • NorthTexasCrime Commission, Cybercrime Committee & Infragard (FBI) • International Association of Privacy Professionals (IAPP) • Board of Advisors Office of CISO, Optiv Security Shawn Tuma Cybersecurity Partner Scheef & Stone, L.L.P. 214.472.2135 shawn.tuma@solidcounsel.com @shawnetuma blog: www.shawnetuma.com web: www.solidcounsel.com

More Related Content

PPTX
New York Department of Financial Services Cybersecurity Regulations
byShawn Tuma
 
PPTX
NYS DFS CyberSecurity Regulations
byJon Bosco
 
PDF
How to Approach the NYDFS Proposed Cybersecurity Requirements
byKyle Brown
 
PPTX
SEC OCIE - Cybersecurity Focus Areas, Guidance, and Best Practices
byKroll
 
PDF
Emerging Trends in Information Security and Privacy
bylgcdcpas
 
PPTX
A guide to Sustainable Cyber Security
byErnest Staats
 
PPTX
Cybersecurity: What does Cyber Insurance Cover?
byNext Dimension Inc.
 
PPTX
NYDFS Cybersecurity Regulations - 23 NYCRR Part 500
byShawn Tuma
 
New York Department of Financial Services Cybersecurity Regulations
byShawn Tuma
 
NYS DFS CyberSecurity Regulations
byJon Bosco
 
How to Approach the NYDFS Proposed Cybersecurity Requirements
byKyle Brown
 
SEC OCIE - Cybersecurity Focus Areas, Guidance, and Best Practices
byKroll
 
Emerging Trends in Information Security and Privacy
bylgcdcpas
 
A guide to Sustainable Cyber Security
byErnest Staats
 
Cybersecurity: What does Cyber Insurance Cover?
byNext Dimension Inc.
 
NYDFS Cybersecurity Regulations - 23 NYCRR Part 500
byShawn Tuma
 

What's hot

PPTX
How your nonprofit can avoid data breaches and ensure privacy
byTechSoup Canada
 
PPTX
Kristina Tanasichuk: Presentation of GTSC/InfraGard Cyber Survey
byGovernment Technology and Services Coalition
 
PDF
Don't let them take a byte
bylgcdcpas
 
PDF
New York DFS proposed cybersecurity regulations
byBrunswick Group
 
PDF
Emerging Trends in Information Privacy and Security
byJessica Santamaria
 
PPTX
Robert Nichols: Cybersecurity for Government Contractors
byGovernment Technology and Services Coalition
 
PPTX
The Science and Art of Cyber Incident Response (with Case Studies)
byKroll
 
PPTX
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
byTechSoup Canada
 
PDF
Information Security Intelligence
byguest08b1e6
 
PPTX
Cybersecurity: Protection strategies from Cisco and Next Dimension
byNext Dimension Inc.
 
PDF
Data breach-response-planning-laying-the-right-foundation
byBradley Arant Boult Cummings LLP
 
PDF
Cybersecurity and Privacy for In-House Counsel: How the New Regulations and G...
byShawn Tuma
 
PPTX
Cyber security cgi moving forward
byNils Thulin
 
PPTX
Cyber Security Planning: Preparing for a Data Breach
byFletcher Media
 
PDF
The Legal Case for Cybersecurity - SecureWorld Denver 2017 (Lunch Keynote)
byShawn Tuma
 
PPTX
CYBER SECURITY FOR LAW FIRMS
byScott Suhy
 
PDF
Why Your Organization Must Have a Cyber Risk Management Program and How to De...
byShawn Tuma
 
PPTX
Ci2 cyber insurance presentation
byEthan S. Burger
 
How your nonprofit can avoid data breaches and ensure privacy
byTechSoup Canada
 
Kristina Tanasichuk: Presentation of GTSC/InfraGard Cyber Survey
byGovernment Technology and Services Coalition
 
Don't let them take a byte
bylgcdcpas
 
New York DFS proposed cybersecurity regulations
byBrunswick Group
 
Emerging Trends in Information Privacy and Security
byJessica Santamaria
 
Robert Nichols: Cybersecurity for Government Contractors
byGovernment Technology and Services Coalition
 
The Science and Art of Cyber Incident Response (with Case Studies)
byKroll
 
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
byTechSoup Canada
 
Information Security Intelligence
byguest08b1e6
 
Cybersecurity: Protection strategies from Cisco and Next Dimension
byNext Dimension Inc.
 
Data breach-response-planning-laying-the-right-foundation
byBradley Arant Boult Cummings LLP
 
Cybersecurity and Privacy for In-House Counsel: How the New Regulations and G...
byShawn Tuma
 
Cyber security cgi moving forward
byNils Thulin
 
Cyber Security Planning: Preparing for a Data Breach
byFletcher Media
 
The Legal Case for Cybersecurity - SecureWorld Denver 2017 (Lunch Keynote)
byShawn Tuma
 
CYBER SECURITY FOR LAW FIRMS
byScott Suhy
 
Why Your Organization Must Have a Cyber Risk Management Program and How to De...
byShawn Tuma
 
Ci2 cyber insurance presentation
byEthan S. Burger
 

Similar to The Legal Case for Cybersecurity

PDF
The Legal Case for Cybersecurity - SecureWorld Dallas 2017 (Lunch Keynote)
byShawn Tuma
 
PDF
The Legal Case for Cyber Risk Management Programs and What They Should Include
byShawn Tuma
 
PDF
The Legal Case for Cybersecurity: Implementing and Maturing a Cyber Risk Mana...
byShawn Tuma
 
PDF
Effective cybersecurity for small and midsize businesses
byShawn Tuma
 
PDF
The Legal Case for Cyber Risk Management - InfoSec World Privacy & Risk Summit
byShawn Tuma
 
PDF
Cybersecurity (and Privacy) Issues - Legal and Compliance Issues Everyone in ...
byShawn Tuma
 
PDF
The Legal Case for Cyber Risk Management Programs and What They Should Include
byShawn Tuma
 
PDF
Cybersecurity: Cyber Risk Management for Lawyers and Clients
byShawn Tuma
 
PPTX
Contracting for Better Cybersecurity
byShawn Tuma
 
PPTX
SecureWorld Expo Dallas - Cybersecurity Law: What Business and IT Leaders Nee...
byShawn Tuma
 
PDF
Cybersecurity: What the GC and CEO Need to Know
byShawn Tuma
 
PDF
Cybersecurity: Cyber Risk Management for Banks & Financial Institutions
byShawn Tuma
 
PDF
Legal Issues Associated with Third-Party Cyber Risk
byShawn Tuma
 
PDF
Leadership: Legal Counsel's Role in Guiding Through Cybersecurity and Data Loss
byShawn Tuma
 
PDF
Get the FUD out of Cybersecurity! ISACA CSXNA 2016 in Las Vegas
byShawn Tuma
 
PDF
Leadership Through the Firestorm - Legal Counsel's Role in Guiding Through Cy...
byShawn Tuma
 
PDF
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
byShawn Tuma
 
PDF
Cyber Security for Your Clients: Business Lawyers Advising Business Clients
byShawn Tuma
 
PPTX
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
bySirius
 
PPTX
A Brave New World of Cyber Security and Data Breach
byJim Brashear
 
The Legal Case for Cybersecurity - SecureWorld Dallas 2017 (Lunch Keynote)
byShawn Tuma
 
The Legal Case for Cyber Risk Management Programs and What They Should Include
byShawn Tuma
 
The Legal Case for Cybersecurity: Implementing and Maturing a Cyber Risk Mana...
byShawn Tuma
 
Effective cybersecurity for small and midsize businesses
byShawn Tuma
 
The Legal Case for Cyber Risk Management - InfoSec World Privacy & Risk Summit
byShawn Tuma
 
Cybersecurity (and Privacy) Issues - Legal and Compliance Issues Everyone in ...
byShawn Tuma
 
The Legal Case for Cyber Risk Management Programs and What They Should Include
byShawn Tuma
 
Cybersecurity: Cyber Risk Management for Lawyers and Clients
byShawn Tuma
 
Contracting for Better Cybersecurity
byShawn Tuma
 
SecureWorld Expo Dallas - Cybersecurity Law: What Business and IT Leaders Nee...
byShawn Tuma
 
Cybersecurity: What the GC and CEO Need to Know
byShawn Tuma
 
Cybersecurity: Cyber Risk Management for Banks & Financial Institutions
byShawn Tuma
 
Legal Issues Associated with Third-Party Cyber Risk
byShawn Tuma
 
Leadership: Legal Counsel's Role in Guiding Through Cybersecurity and Data Loss
byShawn Tuma
 
Get the FUD out of Cybersecurity! ISACA CSXNA 2016 in Las Vegas
byShawn Tuma
 
Leadership Through the Firestorm - Legal Counsel's Role in Guiding Through Cy...
byShawn Tuma
 
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
byShawn Tuma
 
Cyber Security for Your Clients: Business Lawyers Advising Business Clients
byShawn Tuma
 
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
bySirius
 
A Brave New World of Cyber Security and Data Breach
byJim Brashear
 

More from Shawn Tuma

PDF
Lifecycle: Responding to a Ransomware Attack - A Professional Breach Guide's ...
byShawn Tuma
 
PDF
The Dark Side of Digital Engagement
byShawn Tuma
 
PDF
Incident Response Planning - Lifecycle of Responding to a Ransomware Attack
byShawn Tuma
 
PDF
Reimagine Your Company Operating Again After a Ransomware Attack -- The Lifec...
byShawn Tuma
 
PPTX
The Role of Contracts in Privacy, Cybersecurity, and Data Breach
byShawn Tuma
 
PDF
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
byShawn Tuma
 
PDF
Lawyers' Ethical Obligations for Cybersecurity
byShawn Tuma
 
PDF
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
byShawn Tuma
 
PDF
Real World Cyber Risk. Understand it. Manage it.
byShawn Tuma
 
PDF
Cyber Hygiene Checklist
byShawn Tuma
 
PDF
Cyber Incident Response Checklist
byShawn Tuma
 
PDF
Cybersecurity is a Team Sport (SecureWorld - Dallas 2018)
byShawn Tuma
 
PPT
Something is Phishy: Cyber Scams and How to Avoid Them
byShawn Tuma
 
PPTX
Cybersecurity Fundamentals for Legal Professionals (and every other business)
byShawn Tuma
 
PDF
Cybersecurity Update
byShawn Tuma
 
PPTX
"What Could Go Wrong?" - We're Glad You Asked!
byShawn Tuma
 
PDF
Cybersecurity: How to Protect Your Firm from a Cyber Attack
byShawn Tuma
 
PDF
Recovering from a Cyber Attack
byShawn Tuma
 
PPTX
#CyberAvengers - Artificial Intelligence in the Legal and Regulatory Realm
byShawn Tuma
 
PPTX
Cybersecurity Fundamentals for Legal Professionals
byShawn Tuma
 
Lifecycle: Responding to a Ransomware Attack - A Professional Breach Guide's ...
byShawn Tuma
 
The Dark Side of Digital Engagement
byShawn Tuma
 
Incident Response Planning - Lifecycle of Responding to a Ransomware Attack
byShawn Tuma
 
Reimagine Your Company Operating Again After a Ransomware Attack -- The Lifec...
byShawn Tuma
 
The Role of Contracts in Privacy, Cybersecurity, and Data Breach
byShawn Tuma
 
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
byShawn Tuma
 
Lawyers' Ethical Obligations for Cybersecurity
byShawn Tuma
 
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
byShawn Tuma
 
Real World Cyber Risk. Understand it. Manage it.
byShawn Tuma
 
Cyber Hygiene Checklist
byShawn Tuma
 
Cyber Incident Response Checklist
byShawn Tuma
 
Cybersecurity is a Team Sport (SecureWorld - Dallas 2018)
byShawn Tuma
 
Something is Phishy: Cyber Scams and How to Avoid Them
byShawn Tuma
 
Cybersecurity Fundamentals for Legal Professionals (and every other business)
byShawn Tuma
 
Cybersecurity Update
byShawn Tuma
 
"What Could Go Wrong?" - We're Glad You Asked!
byShawn Tuma
 
Cybersecurity: How to Protect Your Firm from a Cyber Attack
byShawn Tuma
 
Recovering from a Cyber Attack
byShawn Tuma
 
#CyberAvengers - Artificial Intelligence in the Legal and Regulatory Realm
byShawn Tuma
 
Cybersecurity Fundamentals for Legal Professionals
byShawn Tuma
 

Recently uploaded

PDF
VIETNAM - THE WORLD BANK IS ASKING DUANE MORRIS ON THE LAND LAW AND BUILDING ...
byDr. Oliver Massmann
 
PDF
How can I create a new user for the Rulebooks platform?
byLegal Manager
 
PDF
Power point presentation on Legal Methods.pdf
bykrishpurohith
 
PDF
Danielle Oliveira New Jersey - A Lifelong Learner
byDanielle Oliveira New Jersey
 
PPT
Competition act 2002 and competition commission of india
bydina818karan
 
PDF
Company Constitution vs Shareholders’ Agreement :What’s the Difference (and H...
byAdventum Legal Firm
 
PPTX
Amnesty Scheme for Foreign Asset Disclosure
bySS Industries
 
PDF
VIETNAM - GLOBAL WATER INTELLIGENCE INTERVIEWING DR. OLIVER MASSMANN ON PUBLI...
byDr. Oliver Massmann
 
PDF
Edited-ED-Right-to-health-and-emergency-medical-service-bill-2025.pdf
bysabranghindi
 
PDF
Top property lawyer law firm in pune. Propdox specializes in property dispute...
bypropdox lawyer
 
PDF
The Five Methods of Specific Relief Act,1877.pdf
by Judge Nazmul Hasan.
 
PDF
PUCL-2014-Judgement.pdf PUCL PUCL PUCL PUCL
bysabranghindi
 
PPTX
BJS Preparation Series- Understanding FIR.pptx
by Judge Nazmul Hasan.
 
PDF
ADGP-21.09.2023.pdf ADGP Rajasthan ADGP Rajasthan
bysabranghindi
 
PDF
Gujrat-HC-order-2.pdf Gujarat High Court
bysabranghindi
 
PDF
15.01.2025-DGP-RAJ.pdf DGP Rajasthan DGP
bysabranghindi
 
PPTX
Audio Video Analysis in Digital Forensics
byTruth labs
 
PDF
City of Chicago Labor Foreman Injured by Freight Elevator Seeks Workers' Comp...
byAnkin Law Office, LLC
 
PDF
AHRP LB - Energy Conservation Services Under MoEMR Reg 1 2026.pdf
byAHRP Law Firm
 
PDF
For-Website-MEMORANDUM..pdf Voter List Crisis
bysabranghindi
 
VIETNAM - THE WORLD BANK IS ASKING DUANE MORRIS ON THE LAND LAW AND BUILDING ...
byDr. Oliver Massmann
 
How can I create a new user for the Rulebooks platform?
byLegal Manager
 
Power point presentation on Legal Methods.pdf
bykrishpurohith
 
Danielle Oliveira New Jersey - A Lifelong Learner
byDanielle Oliveira New Jersey
 
Competition act 2002 and competition commission of india
bydina818karan
 
Company Constitution vs Shareholders’ Agreement :What’s the Difference (and H...
byAdventum Legal Firm
 
Amnesty Scheme for Foreign Asset Disclosure
bySS Industries
 
VIETNAM - GLOBAL WATER INTELLIGENCE INTERVIEWING DR. OLIVER MASSMANN ON PUBLI...
byDr. Oliver Massmann
 
Edited-ED-Right-to-health-and-emergency-medical-service-bill-2025.pdf
bysabranghindi
 
Top property lawyer law firm in pune. Propdox specializes in property dispute...
bypropdox lawyer
 
The Five Methods of Specific Relief Act,1877.pdf
by Judge Nazmul Hasan.
 
PUCL-2014-Judgement.pdf PUCL PUCL PUCL PUCL
bysabranghindi
 
BJS Preparation Series- Understanding FIR.pptx
by Judge Nazmul Hasan.
 
ADGP-21.09.2023.pdf ADGP Rajasthan ADGP Rajasthan
bysabranghindi
 
Gujrat-HC-order-2.pdf Gujarat High Court
bysabranghindi
 
15.01.2025-DGP-RAJ.pdf DGP Rajasthan DGP
bysabranghindi
 
Audio Video Analysis in Digital Forensics
byTruth labs
 
City of Chicago Labor Foreman Injured by Freight Elevator Seeks Workers' Comp...
byAnkin Law Office, LLC
 
AHRP LB - Energy Conservation Services Under MoEMR Reg 1 2026.pdf
byAHRP Law Firm
 
For-Website-MEMORANDUM..pdf Voter List Crisis
bysabranghindi
 

The Legal Case for Cybersecurity

  • 1.
    Shawn E. Tuma| Scheef & Stone, LLP Cybersecurity & Data Privacy Attorney 214.472.2135 | Shawn.tuma@solidcounsel.com THE LEGAL CASE FOR CYBERSECURITY @shawnetuma BusinessCyberRisk.com
  • 4.
  • 5.
    www.solidcounsel.com Shawn Tuma (214) 472-2135 Shawn.Tuma@solidcounsel.com www.shawnetuma.com @shawnetuma “Securityand IT protect companies’ data; Legal protects companies from their data.”
  • 6.
  • 7.
    Legal Obligations. Easily preventable •90% in 2014 • 91% in 2015 ▪ International Laws ▪ Safe Harbor ▪ Privacy Shield ▪ GDPR ▪ Federal Laws & Regs. ▪ HIPAA, GLBA, FERPA ▪ FTC, FCC, SEC ▪ State Laws ▪ 48 states (AL & SD) ▪ NYDFS & Colorado FinServ ▪ Industry Groups ▪ PCI, FINRA, etc. ▪ Contracts ▪ 3rd Party Bus. Assoc. ▪ Data Security Addendum
  • 8.
    The real-world threatsare not so sophisticated. Easily preventable • 90% in 2014 • 91% in 2015 • 63% confirmed breaches from weak, default, or stolen passwords • Data is lost over 100x more than stolen • Phishing used most to install malware Easily Avoidable Breaches 90% in 2014 91% in 2015 91% in 2016 (90% from email)
  • 9.
    Common Cybersecurity Best Practices 1. Riskassessment. 2. Policies and procedures focused on cybersecurity. • Social engineering, password, security questions 3. Training of all workforce. 4. Phish all workforce (esp. leadership). 5. Signature based antivirus and malware detection. 6. Access controls. 7. Security updates and patch management. 8. Multi-factor authentication. 9. Backups segmented offline and redundant. 10. No outdated or unsupported software. 11. Incident response plan. 12. Encrypt sensitive and air-gap hypersensitive data. 13. Adequate logging and retention. 14. Third-party security risk assessment & management. 15. Intrusion detection and intrusion prevention systems.
  • 10.
    Does your company have reasonable cybersecurity? Inre Target Data Security Breach Litigation, (Financial Institutions) (Dec. 2, 2014) F.T.C. v. Wyndham Worldwide Corp., 799 F.3d 236 (3rd Cir. Aug. 24, 2015). 1. Risk assessment. 2. Policies and procedures focused on cybersecurity. • Social engineering, password, security questions 3. Training of all workforce. 4. Phish all workforce (esp. leadership). 5. Signature based antivirus and malware detection. 6. Access controls. 7. Security updates and patch management. 8. Multi-factor authentication. 9. Backups segmented offline and redundant. 10. No outdated or unsupported software. 11. Incident response plan. 12. Encrypt sensitive and air-gap hypersensitive data. 13. Adequate logging and retention. 14. Third-party security risk assessment & management. 15. Intrusion detection and intrusion prevention systems.
  • 11.
    Does your company have adequate internalnetwork controls? FTC v. LabMD, (July 2016 FTC Commission Order) 1. Risk assessment. 2. Policies and procedures focused on cybersecurity. • Social engineering, password, security questions 3. Training of all workforce. 4. Phish all workforce (esp. leadership). 5. Signature based antivirus and malware detection. 6. Access controls. 7. Security updates and patch management. 8. Multi-factor authentication. 9. Backups segmented offline and redundant. 10. No outdated or unsupported software. 11. Incident response plan. 12. Encrypt sensitive and air-gap hypersensitive data. 13. Adequate logging and retention. 14. Third-party security risk assessment & management. 15. Intrusion detection and intrusion prevention systems.
  • 12.
    Does your company have writtenpolicies and procedures focused on cybersecurity? SEC v. R.T. Jones Capital Equities Mgt., Consent Order (Sept. 22, 2015) 1. Risk assessment. 2. Policies and procedures focused on cybersecurity. • Social engineering, password, security questions 3. Training of all workforce. 4. Phish all workforce (esp. leadership). 5. Signature based antivirus and malware detection. 6. Access controls. 7. Security updates and patch management. 8. Multi-factor authentication. 9. Backups segmented offline and redundant. 10. No outdated or unsupported software. 11. Incident response plan. 12. Encrypt sensitive and air-gap hypersensitive data. 13. Adequate logging and retention. 14. Third-party security risk assessment & management. 15. Intrusion detection and intrusion prevention systems.
  • 13.
    Does your company havea written cybersecurity incident response plan? SEC v. R.T. Jones Capital Equities Mgt., Consent Order (Sept. 22, 2015) 1. Risk assessment. 2. Policies and procedures focused on cybersecurity. • Social engineering, password, security questions 3. Training of all workforce. 4. Phish all workforce (esp. leadership). 5. Signature based antivirus and malware detection. 6. Access controls. 7. Security updates and patch management. 8. Multi-factor authentication. 9. Backups segmented offline and redundant. 10. No outdated or unsupported software. 11. Incident response plan. 12. Encrypt sensitive and air-gap hypersensitive data. 13. Adequate logging and retention. 14. Third-party security risk assessment & management. 15. Intrusion detection and intrusion prevention systems.
  • 14.
    Does your company manage third- partycyber risk? In re GMR Transcription Svcs, Inc., Consent Order (August 14, 2014). 1. Risk assessment. 2. Policies and procedures focused on cybersecurity. • Social engineering, password, security questions 3. Training of all workforce. 4. Phish all workforce (esp. leadership). 5. Signature based antivirus and malware detection. 6. Access controls. 7. Security updates and patch management. 8. Multi-factor authentication. 9. Backups segmented offline and redundant. 10. No outdated or unsupported software. 11. Incident response plan. 12. Encrypt sensitive and air-gap hypersensitive data. 13. Adequate logging and retention. 14. Third-party security risk assessment & management. 15. Intrusion detection and intrusion prevention systems.
  • 15.
    How mature is yourcompany’s cyber risk management program? In re GMR Transcription Svcs, Inc., Consent Order (August 14, 2014). “GMR Transcription Services, Inc. . . . Shall . . . establish and implement, and thereafter maintain, a comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers. Such program, the content and implementation of which must be fully documented in writing, shall contain administrative, technical, and physical safeguards appropriate to respondents’ or the business entity’s size and complexity, the nature and scope of respondents’ or the business entity’s activities, and the sensitivity of the personal information collected from or about consumers”
  • 16.
    www.solidcounsel.com New York Departmentof Financial Services Cybersecurity (NYDFS) Requirements for Financial Services Companies + [fill in] • All NY “financial institutions” + third party service providers. • Third party service providers – examine, obligate, audit. • Establish Cybersecurity Program (w/ specifics): • Logging, Data Classification, IDS, IPS; • Pen Testing, Vulnerability Assessments, Risk Assessment; and • Encryption, Access Controls. • Adopt Cybersecurity Policies. • Designate qualified CISO to be responsible. • Adequate cybersecurity personnel and intelligence. • Personnel Policies & Procedures, Training, Written IRP. • Chairman or Senior Officer Certify Compliance.
  • 17.
    EU – GeneralData Protection Regulation (GDPR) • Goal: Protect all EU citizens from privacy and data breaches. • When: May 25, 2018. • Reach: Applies to all companies (controllers and processors): • Processing data of EU residents (regardless of where processing), • In the EU (regardless of where processing), or • Offering goods or services to EU citizens or monitoring behavior in EU. • Penalties: up to 4% global turnover or €20 Million (whichever is greater). • Remedies: data subjects have judicial remedies, right to damages. • Data subject rights: • Breach notification – 72 hrs to DPA; “without undue delay” to data subjects. • Right to access – provide confirmation of processing and electronic copy (free). • Data erasure – right to be forgotten, erase, cease dissemination or processing. • Data portability – receive previously provided data in common elect. format. • Privacy by design – include data protection from the onset of designing systems.
  • 18.
  • 19.
  • 20.
  • 21.
  • 22.
    Cyber Insurance –Key Questions • Do you know if you even have it? • What period does the policy cover? • Are Officers & Directors Covered? • Cover 3rd Party Caused Events? • Social Engineering coverage? • Cover insiders intentional acts (vs. negligent)? • Is contractual liability covered? • What is the triggering event? • What types of data are covered? • What kind of incidents are covered? • Acts of war? Terrorism? • Required carrier list for attorneys & experts? • Other similar risks?
  • 23.
    www.solidcounsel.com “You don’t drownby falling in the water; You drown by staying there.” – Edwin Louis Cole
  • 24.
    • Board ofDirectors & General Counsel, Cyber Future Foundation • Board of Advisors, NorthTexas Cyber Forensics Lab • Policy Council, NationalTechnology Security Coalition • CybersecurityTask Force, IntelligentTransportation Society ofAmerica • Cybersecurity & Data Privacy LawTrailblazers, National Law Journal (2016) • SuperLawyersTop 100 Lawyers in Dallas (2016) • SuperLawyers 2015-16 (IP Litigation) • Best Lawyers in Dallas 2014-16, D Magazine (Digital Information Law) • Council, Computer &Technology Section, State Bar ofTexas • Privacy and Data Security Committee of the State Bar ofTexas • College of the State Bar ofTexas • Board of Directors, Collin County Bench Bar Conference • Past Chair, Civil Litigation & Appellate Section, Collin County Bar Association • Information Security Committee of the Section on Science &Technology Committee of the American Bar Association • NorthTexasCrime Commission, Cybercrime Committee & Infragard (FBI) • International Association of Privacy Professionals (IAPP) • Board of Advisors Office of CISO, Optiv Security Shawn Tuma Cybersecurity Partner Scheef & Stone, L.L.P. 214.472.2135 shawn.tuma@solidcounsel.com @shawnetuma blog: www.shawnetuma.com web: www.solidcounsel.com