SlideShare a Scribd company logo

The Legal Case for Cybersecurity - SecureWorld Denver 2017 (Lunch Keynote)

Shawn Tuma
Shawn Tuma

Cybersecurity & Data Privacy Attorney Shawn Tuma presents the lunch keynote on the Legal Case for Cybersecurity at SecureWorld-Denver in 2017.

Law
1 of 21
Download to read offline
The Legal Case for Cybersecurity Shawn E. Tuma Cybersecurity & Data Privacy Attorney Scheef & Stone, LLP
A smart man learns from his mistakes. A wise man learns from the mistakes of others. A fool never learns.
“Cybersecurity is no longer just an IT issue—it is an overall business risk issue.”
“Security and IT protect companies’ data; Legal protects companies from their data.”
Legal obligations. ▪ Types ▪ Security ▪ Privacy ▪ Unauthorized Access ▪ International Laws ▪ Privacy Shield ▪ GDPR ▪ Federal Laws & Regs. ▪ HIPAA, GLBA, FERPA ▪ FTC, FCC, SEC ▪ State Laws ▪ 48 states (AL & SD) ▪ NYDFS & Colorado FinServ ▪ Industry Groups ▪ PCI, FINRA, etc. ▪ Contracts ▪ 3rd Party Bus. Assoc. ▪ Data Security Addendum
Real-world threats. • 63% confirmed breaches from weak, default, or stolen passwords • Data is lost over 100x more than stolen • Phishing used most to install malware Easily Avoidable Breaches 90% in 2014 91% in 2015 91% in 2016 (90% from email) Easily Avoidable Breaches 90% in 2014 91% in 2015 91% in 2016 (90% from email)
Common cybersecurity best practices. 1. Risk assessment. 2. Policies and procedures focused on cybersecurity. • Social engineering, password, security questions 3. Training of all workforce. 4. Phish all workforce (esp. leadership). 5. Signature based antivirus and malware detection. 6. Access controls. 7. Security updates and patch management. 8. Multi-factor authentication. 9. Backups segmented offline and redundant. 10. No outdated or unsupported software. 11. Incident response plan. 12. Encrypt sensitive and air-gap hypersensitive data. 13. Adequate logging and retention. 14. Third-party security risk assessment & management. 15. Intrusion detection and intrusion prevention systems.
Does your company have reasonable cybersecurity? 1. Risk assessment. 2. Policies and procedures focused on cybersecurity. • Social engineering, password, security questions 3. Training of all workforce. 4. Phish all workforce (esp. leadership). 5. Signature based antivirus and malware detection. 6. Access controls. 7. Security updates and patch management. 8. Multi-factor authentication. 9. Backups segmented offline and redundant. 10. No outdated or unsupported software. 11. Incident response plan. 12. Encrypt sensitive and air-gap hypersensitive data. 13. Adequate logging and retention. 14. Third-party security risk assessment & management. 15. Intrusion detection and intrusion prevention systems. In re Target Data Security Breach Litigation, (Fin. Inst.) (Dec. 2, 2014) F.T.C. v. Wyndham Worldwide Corp., 299 F.3d 236 (3rd Cir. Aug. 24, 2015)
Does your company have reasonable cybersecurity? 1. Risk assessment. 2. Policies and procedures focused on cybersecurity. • Social engineering, password, security questions 3. Training of all workforce. 4. Phish all workforce (esp. leadership). 5. Signature based antivirus and malware detection. 6. Access controls. 7. Security updates and patch management. 8. Multi-factor authentication. 9. Backups segmented offline and redundant. 10. No outdated or unsupported software. 11. Incident response plan. 12. Encrypt sensitive and air-gap hypersensitive data. 13. Adequate logging and retention. 14. Third-party security risk assessment & management. 15. Intrusion detection and intrusion prevention systems. In re Target Data Security Breach Litigation, (Fin. Inst.) (Dec. 2, 2014) F.T.C. v. Wyndham Worldwide Corp., 299 F.3d 236 (3rd Cir. Aug. 24, 2015)
Does your company have adequate internal network controls? 1. Risk assessment. 2. Policies and procedures focused on cybersecurity. • Social engineering, password, security questions 3. Training of all workforce. 4. Phish all workforce (esp. leadership). 5. Signature based antivirus and malware detection. 6. Access controls. 7. Security updates and patch management. 8. Multi-factor authentication. 9. Backups segmented offline and redundant. 10. No outdated or unsupported software. 11. Incident response plan. 12. Encrypt sensitive and air-gap hypersensitive data. 13. Adequate logging and retention. 14. Third-party security risk assessment & management. 15. Intrusion detection and intrusion prevention systems. F.T.C. v. LabMD, (July 2016 FTC Commission Order)
Does your company have written policies and procedures focused on cybersecurity? 1. Risk assessment. 2. Policies and procedures focused on cybersecurity. • Social engineering, password, security questions 3. Training of all workforce. 4. Phish all workforce (esp. leadership). 5. Signature based antivirus and malware detection. 6. Access controls. 7. Security updates and patch management. 8. Multi-factor authentication. 9. Backups segmented offline and redundant. 10. No outdated or unsupported software. 11. Incident response plan. 12. Encrypt sensitive and air-gap hypersensitive data. 13. Adequate logging and retention. 14. Third-party security risk assessment & management. 15. Intrusion detection and intrusion prevention systems. SEC v. R.T. Jones Capital, Consent Order (Sept. 22, 2015)
Does your company have a written cybersecurity incident response plan? 1. Risk assessment. 2. Policies and procedures focused on cybersecurity. • Social engineering, password, security questions 3. Training of all workforce. 4. Phish all workforce (esp. leadership). 5. Signature based antivirus and malware detection. 6. Access controls. 7. Security updates and patch management. 8. Multi-factor authentication. 9. Backups segmented offline and redundant. 10. No outdated or unsupported software. 11. Incident response plan. 12. Encrypt sensitive and air-gap hypersensitive data. 13. Adequate logging and retention. 14. Third-party security risk assessment & management. 15. Intrusion detection and intrusion prevention systems. SEC v. R.T. Jones Capital, Consent Order (Sept. 22, 2015)
Does your company manage third-party cyber risk? 1. Risk assessment. 2. Policies and procedures focused on cybersecurity. • Social engineering, password, security questions 3. Training of all workforce. 4. Phish all workforce (esp. leadership). 5. Signature based antivirus and malware detection. 6. Access controls. 7. Security updates and patch management. 8. Multi-factor authentication. 9. Backups segmented offline and redundant. 10. No outdated or unsupported software. 11. Incident response plan. 12. Encrypt sensitive and air-gap hypersensitive data. 13. Adequate logging and retention. 14. Third-party security risk assessment & management. 15. Intrusion detection and intrusion prevention systems. In re GMR Transcription Svcs, Consent Order (Aug. 14, 2014)
How mature is your company’s cyber risk management program? “GMR Transcription Services, Inc. . . . Shall . . . establish and implement, and thereafter maintain, a comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers. Such program, the content and implementation of which must be fully documented in writing, shall contain administrative, technical, and physical safeguards appropriate to respondents’ or the business entity’s size and complexity, the nature and scope of respondents’ or the business entity’s activities, and the sensitivity of the personal information collected from or about consumers” In re GMR Transcription Svcs, Consent Order (Aug. 14, 2014)
NYDFS Cybersecurity Regulation • All NY “financial institutions” + third party service providers. • Third party service providers – examine, obligate, audit. • Establish Cybersecurity Program (w/ specifics): • Logging, Data Classification, IDS, IPS; • Pen Testing, Vulnerability Assessments, Risk Assessment; and • Encryption, Access Controls. • Adopt Cybersecurity Policies. • Designate qualified CISO to be responsible. • Adequate cybersecurity personnel and intelligence. • Personnel Policies & Procedures, Training, Written IRP. • Chairman or Senior Officer Certify Compliance.
EU General Data Protection Regulation (GDPR) • Goal: Protect data subjects residing in EU from privacy and data breaches. • When: May 25, 2018. • Reach: Applies to all companies (controllers and processors): • Processing data of EU residents (regardless of where processing), • In the EU (regardless of where processing), or • Offering goods or servcs to data subjects in EU or monitoring behavior in EU. • Penalties: up to 4% global turnover or €20 Million (whichever is greater). • Remedies: data subjects have judicial remedies, right to damages. • Data subject rights: • Breach notification – 72 hrs to DPA; “without undue delay” to data subjects. • Right to access – provide confirmation of processing and electronic copy (free). • Data erasure – right to be forgotten, erase, cease dissemination or processing. • Data portability – receive previously provided data in common format. • Privacy by design – include data protection in the designing systems.
How mature is your company’s Cybersecurity Risk Management Program?
@shawnetuma BusinessCyberRisk.com
“You don’t drown by falling in the water; You drown by staying there.” – Edwin Louis Cole
• Board of Directors & General Counsel, Cyber Future Foundation • Board of Advisors, North Texas Cyber Forensics Lab • Policy Council, National Technology Security Coalition • Cybersecurity Task Force, Intelligent Transportation Society of America • Cybersecurity & Data Privacy Law Trailblazers, National Law Journal (2016) • SuperLawyers Top 100 Lawyers in Dallas (2016) • SuperLawyers 2015-16 (IP Litigation) • Best Lawyers in Dallas 2014-16, D Magazine (Digital Information Law) • Council, Computer & Technology Section, State Bar of Texas • Privacy and Data Security Committee of the State Bar of Texas • College of the State Bar of Texas • Board of Directors, Collin County Bench Bar Conference • Past Chair, Civil Litigation & Appellate Section, Collin County Bar Association • Information Security Committee of the Section on Science & Technology Committee of the American Bar Association • North Texas Crime Commission, Cybercrime Committee & Infragard (FBI) • International Association of Privacy Professionals (IAPP) Shawn Tuma Cybersecurity Attorney Scheef & Stone, L.L.P. 214.472.2135 shawn.tuma@solidcounsel.com @shawnetuma blog: www.shawnetuma.com web: www.solidcounsel.com

Recommended

The Legal Case for Cybersecurity - SecureWorld Dallas 2017 (Lunch Keynote)
The Legal Case for Cybersecurity - SecureWorld Dallas 2017 (Lunch Keynote)The Legal Case for Cybersecurity - SecureWorld Dallas 2017 (Lunch Keynote)
The Legal Case for Cybersecurity - SecureWorld Dallas 2017 (Lunch Keynote)
Shawn Tuma
 
Why Your Organization Must Have a Cyber Risk Management Program and How to De...
Why Your Organization Must Have a Cyber Risk Management Program and How to De...Why Your Organization Must Have a Cyber Risk Management Program and How to De...
Why Your Organization Must Have a Cyber Risk Management Program and How to De...
Shawn Tuma
 
Contracting for Better Cybersecurity
Contracting for Better CybersecurityContracting for Better Cybersecurity
Contracting for Better Cybersecurity
Shawn Tuma
 
The Legal Case for Cybersecurity: Implementing and Maturing a Cyber Risk Mana...
The Legal Case for Cybersecurity: Implementing and Maturing a Cyber Risk Mana...The Legal Case for Cybersecurity: Implementing and Maturing a Cyber Risk Mana...
The Legal Case for Cybersecurity: Implementing and Maturing a Cyber Risk Mana...
Shawn Tuma
 
The Legal Case for Cybersecurity
The Legal Case for CybersecurityThe Legal Case for Cybersecurity
The Legal Case for Cybersecurity
Shawn Tuma
 
New York Department of Financial Services Cybersecurity Regulations
New York Department of Financial Services Cybersecurity RegulationsNew York Department of Financial Services Cybersecurity Regulations
New York Department of Financial Services Cybersecurity Regulations
Shawn Tuma
 
Craft Your Cyber Incident Response Plan (Before It's Too Late)
Craft Your Cyber Incident Response Plan (Before It's Too Late)Craft Your Cyber Incident Response Plan (Before It's Too Late)
Craft Your Cyber Incident Response Plan (Before It's Too Late)
Resilient Systems
 
Recovering from a Cyber Attack
Recovering from a Cyber AttackRecovering from a Cyber Attack
Recovering from a Cyber Attack
Shawn Tuma
 

Recommended

The Legal Case for Cybersecurity - SecureWorld Dallas 2017 (Lunch Keynote)
The Legal Case for Cybersecurity - SecureWorld Dallas 2017 (Lunch Keynote)The Legal Case for Cybersecurity - SecureWorld Dallas 2017 (Lunch Keynote)
The Legal Case for Cybersecurity - SecureWorld Dallas 2017 (Lunch Keynote)
Shawn Tuma
 
Why Your Organization Must Have a Cyber Risk Management Program and How to De...
Why Your Organization Must Have a Cyber Risk Management Program and How to De...Why Your Organization Must Have a Cyber Risk Management Program and How to De...
Why Your Organization Must Have a Cyber Risk Management Program and How to De...
Shawn Tuma
 
Contracting for Better Cybersecurity
Contracting for Better CybersecurityContracting for Better Cybersecurity
Contracting for Better Cybersecurity
Shawn Tuma
 
The Legal Case for Cybersecurity: Implementing and Maturing a Cyber Risk Mana...
The Legal Case for Cybersecurity: Implementing and Maturing a Cyber Risk Mana...The Legal Case for Cybersecurity: Implementing and Maturing a Cyber Risk Mana...
The Legal Case for Cybersecurity: Implementing and Maturing a Cyber Risk Mana...
Shawn Tuma
 
The Legal Case for Cybersecurity
The Legal Case for CybersecurityThe Legal Case for Cybersecurity
The Legal Case for Cybersecurity
Shawn Tuma
 
New York Department of Financial Services Cybersecurity Regulations
New York Department of Financial Services Cybersecurity RegulationsNew York Department of Financial Services Cybersecurity Regulations
New York Department of Financial Services Cybersecurity Regulations
Shawn Tuma
 
Craft Your Cyber Incident Response Plan (Before It's Too Late)
Craft Your Cyber Incident Response Plan (Before It's Too Late)Craft Your Cyber Incident Response Plan (Before It's Too Late)
Craft Your Cyber Incident Response Plan (Before It's Too Late)
Resilient Systems
 
Recovering from a Cyber Attack
Recovering from a Cyber AttackRecovering from a Cyber Attack
Recovering from a Cyber Attack
Shawn Tuma
 
Laser App Conference 2017 - Sid Yenamandra, Entreda
Laser App Conference 2017 - Sid Yenamandra, EntredaLaser App Conference 2017 - Sid Yenamandra, Entreda
Laser App Conference 2017 - Sid Yenamandra, Entreda
Laser App Software
 
A guide to Sustainable Cyber Security
A guide to Sustainable Cyber SecurityA guide to Sustainable Cyber Security
A guide to Sustainable Cyber Security
Ernest Staats
 
Cybersecurity: Cyber Risk Management for Banks & Financial Institutions
Cybersecurity: Cyber Risk Management for Banks & Financial InstitutionsCybersecurity: Cyber Risk Management for Banks & Financial Institutions
Cybersecurity: Cyber Risk Management for Banks & Financial Institutions
Shawn Tuma
 
Cybersecurity: Cyber Risk Management for Lawyers and Clients
Cybersecurity: Cyber Risk Management for Lawyers and ClientsCybersecurity: Cyber Risk Management for Lawyers and Clients
Cybersecurity: Cyber Risk Management for Lawyers and Clients
Shawn Tuma
 
Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015
Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015
Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015
Joe Bartolo
 
The Legal Case for Cyber Risk Management Programs and What They Should Include
The Legal Case for Cyber Risk Management Programs and What They Should IncludeThe Legal Case for Cyber Risk Management Programs and What They Should Include
The Legal Case for Cyber Risk Management Programs and What They Should Include
Shawn Tuma
 
Sean McCloskey: How do we Strengthen the Public-Private Partnership to Mitiga...
Sean McCloskey: How do we Strengthen the Public-Private Partnership to Mitiga...Sean McCloskey: How do we Strengthen the Public-Private Partnership to Mitiga...
Sean McCloskey: How do we Strengthen the Public-Private Partnership to Mitiga...
Government Technology and Services Coalition
 
Cyber Security Planning: Preparing for a Data Breach
Cyber Security Planning: Preparing for a Data BreachCyber Security Planning: Preparing for a Data Breach
Cyber Security Planning: Preparing for a Data Breach
Fletcher Media
 
2014 ota databreach3
2014 ota databreach32014 ota databreach3
2014 ota databreach3
Meg Weber
 
SEC OCIE - Cybersecurity Focus Areas, Guidance, and Best Practices
SEC OCIE - Cybersecurity Focus Areas, Guidance, and Best PracticesSEC OCIE - Cybersecurity Focus Areas, Guidance, and Best Practices
SEC OCIE - Cybersecurity Focus Areas, Guidance, and Best Practices
Kroll
 
How to assess and manage cyber risk
How to assess and manage cyber riskHow to assess and manage cyber risk
How to assess and manage cyber risk
Stephen Cobb
 
Cyber Resilience
Cyber ResilienceCyber Resilience
Cyber Resilience
Ian-Edward Stafrace
 
Setting up CSIRT
Setting up CSIRTSetting up CSIRT
Setting up CSIRT
APNIC
 
Netwatcher Credit Union Tech Talk
Netwatcher Credit Union Tech TalkNetwatcher Credit Union Tech Talk
Netwatcher Credit Union Tech Talk
NetWatcher
 
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
PECB
 
Maritime Cyber Security
Maritime Cyber SecurityMaritime Cyber Security
Maritime Cyber Security
Dimitris Chalambalis
 
Emerging Trends in Information Security and Privacy
Emerging Trends in Information Security and PrivacyEmerging Trends in Information Security and Privacy
Emerging Trends in Information Security and Privacy
lgcdcpas
 
Day 1 Enisa Setting Up A Csirt
Day 1 Enisa Setting Up A CsirtDay 1 Enisa Setting Up A Csirt
Day 1 Enisa Setting Up A Csirt
vngundi
 
Hunting for cyber threats targeting weapon systems
Hunting for cyber threats targeting weapon systemsHunting for cyber threats targeting weapon systems
Hunting for cyber threats targeting weapon systems
Fidelis Cybersecurity
 
Cyber Security Strategies and Approaches
Cyber Security Strategies and ApproachesCyber Security Strategies and Approaches
Cyber Security Strategies and Approaches
vngundi
 
The Legal Case for Cyber Risk Management - InfoSec World Privacy & Risk Summit
The Legal Case for Cyber Risk Management - InfoSec World Privacy & Risk SummitThe Legal Case for Cyber Risk Management - InfoSec World Privacy & Risk Summit
The Legal Case for Cyber Risk Management - InfoSec World Privacy & Risk Summit
Shawn Tuma
 
Effective cybersecurity for small and midsize businesses
Effective cybersecurity for small and midsize businessesEffective cybersecurity for small and midsize businesses
Effective cybersecurity for small and midsize businesses
Shawn Tuma
 

More Related Content

What's hot

Cybersecurity: Cyber Risk Management for Banks & Financial Institutions
Cybersecurity: Cyber Risk Management for Banks & Financial InstitutionsCybersecurity: Cyber Risk Management for Banks & Financial Institutions
Cybersecurity: Cyber Risk Management for Banks & Financial Institutions
Shawn Tuma
 
Sean McCloskey: How do we Strengthen the Public-Private Partnership to Mitiga...
Sean McCloskey: How do we Strengthen the Public-Private Partnership to Mitiga...Sean McCloskey: How do we Strengthen the Public-Private Partnership to Mitiga...
Sean McCloskey: How do we Strengthen the Public-Private Partnership to Mitiga...
Government Technology and Services Coalition
 
2014 ota databreach3
2014 ota databreach32014 ota databreach3
2014 ota databreach3
Meg Weber
 
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
PECB
 
Emerging Trends in Information Security and Privacy
Emerging Trends in Information Security and PrivacyEmerging Trends in Information Security and Privacy
Emerging Trends in Information Security and Privacy
lgcdcpas
 

What's hot (20)

Laser App Conference 2017 - Sid Yenamandra, Entreda
Laser App Conference 2017 - Sid Yenamandra, EntredaLaser App Conference 2017 - Sid Yenamandra, Entreda
Laser App Conference 2017 - Sid Yenamandra, Entreda
 
A guide to Sustainable Cyber Security
A guide to Sustainable Cyber SecurityA guide to Sustainable Cyber Security
A guide to Sustainable Cyber Security
 
Cybersecurity: Cyber Risk Management for Banks & Financial Institutions
Cybersecurity: Cyber Risk Management for Banks & Financial InstitutionsCybersecurity: Cyber Risk Management for Banks & Financial Institutions
Cybersecurity: Cyber Risk Management for Banks & Financial Institutions
 
Cybersecurity: Cyber Risk Management for Lawyers and Clients
Cybersecurity: Cyber Risk Management for Lawyers and ClientsCybersecurity: Cyber Risk Management for Lawyers and Clients
Cybersecurity: Cyber Risk Management for Lawyers and Clients
 
Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015
Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015
Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015
 
The Legal Case for Cyber Risk Management Programs and What They Should Include
The Legal Case for Cyber Risk Management Programs and What They Should IncludeThe Legal Case for Cyber Risk Management Programs and What They Should Include
The Legal Case for Cyber Risk Management Programs and What They Should Include
 
Sean McCloskey: How do we Strengthen the Public-Private Partnership to Mitiga...
Sean McCloskey: How do we Strengthen the Public-Private Partnership to Mitiga...Sean McCloskey: How do we Strengthen the Public-Private Partnership to Mitiga...
Sean McCloskey: How do we Strengthen the Public-Private Partnership to Mitiga...
 
Cyber Security Planning: Preparing for a Data Breach
Cyber Security Planning: Preparing for a Data BreachCyber Security Planning: Preparing for a Data Breach
Cyber Security Planning: Preparing for a Data Breach
 
2014 ota databreach3
2014 ota databreach32014 ota databreach3
2014 ota databreach3
 
SEC OCIE - Cybersecurity Focus Areas, Guidance, and Best Practices
SEC OCIE - Cybersecurity Focus Areas, Guidance, and Best PracticesSEC OCIE - Cybersecurity Focus Areas, Guidance, and Best Practices
SEC OCIE - Cybersecurity Focus Areas, Guidance, and Best Practices
 
How to assess and manage cyber risk
How to assess and manage cyber riskHow to assess and manage cyber risk
How to assess and manage cyber risk
 
Cyber Resilience
Cyber ResilienceCyber Resilience
Cyber Resilience
 
Setting up CSIRT
Setting up CSIRTSetting up CSIRT
Setting up CSIRT
 
Netwatcher Credit Union Tech Talk
Netwatcher Credit Union Tech TalkNetwatcher Credit Union Tech Talk
Netwatcher Credit Union Tech Talk
 
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
 
Maritime Cyber Security
Maritime Cyber SecurityMaritime Cyber Security
Maritime Cyber Security
 
Emerging Trends in Information Security and Privacy
Emerging Trends in Information Security and PrivacyEmerging Trends in Information Security and Privacy
Emerging Trends in Information Security and Privacy
 
Day 1 Enisa Setting Up A Csirt
Day 1 Enisa Setting Up A CsirtDay 1 Enisa Setting Up A Csirt
Day 1 Enisa Setting Up A Csirt
 
Hunting for cyber threats targeting weapon systems
Hunting for cyber threats targeting weapon systemsHunting for cyber threats targeting weapon systems
Hunting for cyber threats targeting weapon systems
 
Cyber Security Strategies and Approaches
Cyber Security Strategies and ApproachesCyber Security Strategies and Approaches
Cyber Security Strategies and Approaches
 

Similar to The Legal Case for Cybersecurity - SecureWorld Denver 2017 (Lunch Keynote)

Cybersecurity and Privacy for In-House Counsel: How the New Regulations and G...
Cybersecurity and Privacy for In-House Counsel: How the New Regulations and G...Cybersecurity and Privacy for In-House Counsel: How the New Regulations and G...
Cybersecurity and Privacy for In-House Counsel: How the New Regulations and G...
Shawn Tuma
 
Cybercrime and the Hidden Perils of Patient Data
Cybercrime and the Hidden Perils of Patient DataCybercrime and the Hidden Perils of Patient Data
Cybercrime and the Hidden Perils of Patient Data
Stephen Cobb
 

Similar to The Legal Case for Cybersecurity - SecureWorld Denver 2017 (Lunch Keynote) (20)

The Legal Case for Cyber Risk Management - InfoSec World Privacy & Risk Summit
The Legal Case for Cyber Risk Management - InfoSec World Privacy & Risk SummitThe Legal Case for Cyber Risk Management - InfoSec World Privacy & Risk Summit
The Legal Case for Cyber Risk Management - InfoSec World Privacy & Risk Summit
 
Effective cybersecurity for small and midsize businesses
Effective cybersecurity for small and midsize businessesEffective cybersecurity for small and midsize businesses
Effective cybersecurity for small and midsize businesses
 
Cybersecurity and Privacy for In-House Counsel: How the New Regulations and G...
Cybersecurity and Privacy for In-House Counsel: How the New Regulations and G...Cybersecurity and Privacy for In-House Counsel: How the New Regulations and G...
Cybersecurity and Privacy for In-House Counsel: How the New Regulations and G...
 
Information Technology Security Basics
Information Technology Security BasicsInformation Technology Security Basics
Information Technology Security Basics
 
Protecting Accounting Firms and their Clients - Eric Vanderburg - JurInnov
Protecting Accounting Firms and their Clients - Eric Vanderburg - JurInnovProtecting Accounting Firms and their Clients - Eric Vanderburg - JurInnov
Protecting Accounting Firms and their Clients - Eric Vanderburg - JurInnov
 
Cybersecurity Fundamentals by Shaw E. Tuma
Cybersecurity Fundamentals by Shaw E. TumaCybersecurity Fundamentals by Shaw E. Tuma
Cybersecurity Fundamentals by Shaw E. Tuma
 
Cybersecurity Fundamentals for Legal Professionals (and every other business)
Cybersecurity Fundamentals for Legal Professionals (and every other business)Cybersecurity Fundamentals for Legal Professionals (and every other business)
Cybersecurity Fundamentals for Legal Professionals (and every other business)
 
Cybersecurity: How to Protect Your Firm from a Cyber Attack
Cybersecurity: How to Protect Your Firm from a Cyber AttackCybersecurity: How to Protect Your Firm from a Cyber Attack
Cybersecurity: How to Protect Your Firm from a Cyber Attack
 
1. introduction to cyber security
1. introduction to cyber security1. introduction to cyber security
1. introduction to cyber security
 
Aujas incident management webinar deck 08162016
Aujas incident management webinar deck 08162016Aujas incident management webinar deck 08162016
Aujas incident management webinar deck 08162016
 
#CyberAvengers - Artificial Intelligence in the Legal and Regulatory Realm
#CyberAvengers - Artificial Intelligence in the Legal and Regulatory Realm#CyberAvengers - Artificial Intelligence in the Legal and Regulatory Realm
#CyberAvengers - Artificial Intelligence in the Legal and Regulatory Realm
 
OSB50: Operational Security: State of the Union
OSB50: Operational Security: State of the UnionOSB50: Operational Security: State of the Union
OSB50: Operational Security: State of the Union
 
Cybercrime and the Hidden Perils of Patient Data
Cybercrime and the Hidden Perils of Patient DataCybercrime and the Hidden Perils of Patient Data
Cybercrime and the Hidden Perils of Patient Data
 
Cybersecurity Fundamentals for Legal Professionals
Cybersecurity Fundamentals for Legal ProfessionalsCybersecurity Fundamentals for Legal Professionals
Cybersecurity Fundamentals for Legal Professionals
 
Securing Your Digital Files from Legal Threats
Securing Your Digital Files from Legal ThreatsSecuring Your Digital Files from Legal Threats
Securing Your Digital Files from Legal Threats
 
secureit-cloudsecurity-151130141528-lva1-app6892.pdf
secureit-cloudsecurity-151130141528-lva1-app6892.pdfsecureit-cloudsecurity-151130141528-lva1-app6892.pdf
secureit-cloudsecurity-151130141528-lva1-app6892.pdf
 
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
 
The Legal Case for Cyber Risk Management Programs and What They Should Include
The Legal Case for Cyber Risk Management Programs and What They Should IncludeThe Legal Case for Cyber Risk Management Programs and What They Should Include
The Legal Case for Cyber Risk Management Programs and What They Should Include
 
Real World Cybersecurity Tips You Can Use to Protect Your Clients, Your Firm,...
Real World Cybersecurity Tips You Can Use to Protect Your Clients, Your Firm,...Real World Cybersecurity Tips You Can Use to Protect Your Clients, Your Firm,...
Real World Cybersecurity Tips You Can Use to Protect Your Clients, Your Firm,...
 
Cloud & Sécurité
Cloud & SécuritéCloud & Sécurité
Cloud & Sécurité
 

More from Shawn Tuma

Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
Shawn Tuma
 
Cyber Incident Response Checklist
Cyber Incident Response ChecklistCyber Incident Response Checklist
Cyber Incident Response Checklist
Shawn Tuma
 
Cybersecurity is a Team Sport (SecureWorld - Dallas 2018)
Cybersecurity is a Team Sport (SecureWorld - Dallas 2018)Cybersecurity is a Team Sport (SecureWorld - Dallas 2018)
Cybersecurity is a Team Sport (SecureWorld - Dallas 2018)
Shawn Tuma
 

More from Shawn Tuma (16)

Lifecycle: Responding to a Ransomware Attack - A Professional Breach Guide's ...
Lifecycle: Responding to a Ransomware Attack - A Professional Breach Guide's ...Lifecycle: Responding to a Ransomware Attack - A Professional Breach Guide's ...
Lifecycle: Responding to a Ransomware Attack - A Professional Breach Guide's ...
 
The Dark Side of Digital Engagement
The Dark Side of Digital EngagementThe Dark Side of Digital Engagement
The Dark Side of Digital Engagement
 
Incident Response Planning - Lifecycle of Responding to a Ransomware Attack
Incident Response Planning - Lifecycle of Responding to a Ransomware AttackIncident Response Planning - Lifecycle of Responding to a Ransomware Attack
Incident Response Planning - Lifecycle of Responding to a Ransomware Attack
 
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
 
Reimagine Your Company Operating Again After a Ransomware Attack -- The Lifec...
Reimagine Your Company Operating Again After a Ransomware Attack -- The Lifec...Reimagine Your Company Operating Again After a Ransomware Attack -- The Lifec...
Reimagine Your Company Operating Again After a Ransomware Attack -- The Lifec...
 
The Role of Contracts in Privacy, Cybersecurity, and Data Breach
The Role of Contracts in Privacy, Cybersecurity, and Data BreachThe Role of Contracts in Privacy, Cybersecurity, and Data Breach
The Role of Contracts in Privacy, Cybersecurity, and Data Breach
 
Lawyers' Ethical Obligations for Cybersecurity
Lawyers' Ethical Obligations for CybersecurityLawyers' Ethical Obligations for Cybersecurity
Lawyers' Ethical Obligations for Cybersecurity
 
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
 
Real World Cyber Risk. Understand it. Manage it.
Real World Cyber Risk. Understand it. Manage it.Real World Cyber Risk. Understand it. Manage it.
Real World Cyber Risk. Understand it. Manage it.
 
Cyber Hygiene Checklist
Cyber Hygiene ChecklistCyber Hygiene Checklist
Cyber Hygiene Checklist
 
Cyber Incident Response Checklist
Cyber Incident Response ChecklistCyber Incident Response Checklist
Cyber Incident Response Checklist
 
Cybersecurity is a Team Sport (SecureWorld - Dallas 2018)
Cybersecurity is a Team Sport (SecureWorld - Dallas 2018)Cybersecurity is a Team Sport (SecureWorld - Dallas 2018)
Cybersecurity is a Team Sport (SecureWorld - Dallas 2018)
 
Something is Phishy: Cyber Scams and How to Avoid Them
Something is Phishy: Cyber Scams and How to Avoid ThemSomething is Phishy: Cyber Scams and How to Avoid Them
Something is Phishy: Cyber Scams and How to Avoid Them
 
NYDFS Cybersecurity Regulations - 23 NYCRR Part 500
NYDFS Cybersecurity Regulations - 23 NYCRR Part 500NYDFS Cybersecurity Regulations - 23 NYCRR Part 500
NYDFS Cybersecurity Regulations - 23 NYCRR Part 500
 
Cybersecurity Update
Cybersecurity UpdateCybersecurity Update
Cybersecurity Update
 
"What Could Go Wrong?" - We're Glad You Asked!
"What Could Go Wrong?" - We're Glad You Asked!"What Could Go Wrong?" - We're Glad You Asked!
"What Could Go Wrong?" - We're Glad You Asked!
 

Recently uploaded

一比一原版(RMIT毕业证书)皇家墨尔本理工大学毕业证如何办理
一比一原版(RMIT毕业证书)皇家墨尔本理工大学毕业证如何办理一比一原版(RMIT毕业证书)皇家墨尔本理工大学毕业证如何办理
一比一原版(RMIT毕业证书)皇家墨尔本理工大学毕业证如何办理
ss
 
一比一原版(Monash毕业证书)澳洲莫纳什大学毕业证如何办理
一比一原版(Monash毕业证书)澳洲莫纳什大学毕业证如何办理一比一原版(Monash毕业证书)澳洲莫纳什大学毕业证如何办理
一比一原版(Monash毕业证书)澳洲莫纳什大学毕业证如何办理
F La
 
一比一原版(USC毕业证书)南加州大学毕业证学位证书
一比一原版(USC毕业证书)南加州大学毕业证学位证书一比一原版(USC毕业证书)南加州大学毕业证学位证书
一比一原版(USC毕业证书)南加州大学毕业证学位证书
irst
 
一比一原版赫尔大学毕业证如何办理
一比一原版赫尔大学毕业证如何办理一比一原版赫尔大学毕业证如何办理
一比一原版赫尔大学毕业证如何办理
Airst S
 
一比一原版(Griffith毕业证书)格里菲斯大学毕业证如何办理
一比一原版(Griffith毕业证书)格里菲斯大学毕业证如何办理一比一原版(Griffith毕业证书)格里菲斯大学毕业证如何办理
一比一原版(Griffith毕业证书)格里菲斯大学毕业证如何办理
bd2c5966a56d
 
ASMA JILANI EXPLAINED CASE PLD 1972 FOR CSS
ASMA JILANI EXPLAINED CASE PLD 1972 FOR CSSASMA JILANI EXPLAINED CASE PLD 1972 FOR CSS
ASMA JILANI EXPLAINED CASE PLD 1972 FOR CSS
CssSpamx
 
一比一原版(MelbourneU毕业证书)墨尔本大学毕业证学位证书
一比一原版(MelbourneU毕业证书)墨尔本大学毕业证学位证书一比一原版(MelbourneU毕业证书)墨尔本大学毕业证学位证书
一比一原版(MelbourneU毕业证书)墨尔本大学毕业证学位证书
irst
 
一比一原版(KPU毕业证书)加拿大昆特兰理工大学毕业证如何办理
一比一原版(KPU毕业证书)加拿大昆特兰理工大学毕业证如何办理一比一原版(KPU毕业证书)加拿大昆特兰理工大学毕业证如何办理
一比一原版(KPU毕业证书)加拿大昆特兰理工大学毕业证如何办理
e9733fc35af6
 
一比一原版(KPU毕业证书)昆特兰理工大学毕业证如何办理
一比一原版(KPU毕业证书)昆特兰理工大学毕业证如何办理一比一原版(KPU毕业证书)昆特兰理工大学毕业证如何办理
一比一原版(KPU毕业证书)昆特兰理工大学毕业证如何办理
ss
 
一比一原版(纽大毕业证书)美国纽约大学毕业证如何办理
一比一原版(纽大毕业证书)美国纽约大学毕业证如何办理一比一原版(纽大毕业证书)美国纽约大学毕业证如何办理
一比一原版(纽大毕业证书)美国纽约大学毕业证如何办理
e9733fc35af6
 
一比一原版(Warwick毕业证书)华威大学毕业证如何办理
一比一原版(Warwick毕业证书)华威大学毕业证如何办理一比一原版(Warwick毕业证书)华威大学毕业证如何办理
一比一原版(Warwick毕业证书)华威大学毕业证如何办理
Fir La
 
一比一原版(Carleton毕业证书)加拿大卡尔顿大学毕业证如何办理
一比一原版(Carleton毕业证书)加拿大卡尔顿大学毕业证如何办理一比一原版(Carleton毕业证书)加拿大卡尔顿大学毕业证如何办理
一比一原版(Carleton毕业证书)加拿大卡尔顿大学毕业证如何办理
e9733fc35af6
 
一比一原版(JCU毕业证书)詹姆斯库克大学毕业证如何办理
一比一原版(JCU毕业证书)詹姆斯库克大学毕业证如何办理一比一原版(JCU毕业证书)詹姆斯库克大学毕业证如何办理
一比一原版(JCU毕业证书)詹姆斯库克大学毕业证如何办理
Airst S
 

Recently uploaded (20)

一比一原版(RMIT毕业证书)皇家墨尔本理工大学毕业证如何办理
一比一原版(RMIT毕业证书)皇家墨尔本理工大学毕业证如何办理一比一原版(RMIT毕业证书)皇家墨尔本理工大学毕业证如何办理
一比一原版(RMIT毕业证书)皇家墨尔本理工大学毕业证如何办理
 
ARTICLE 370 PDF about the indian constitution.
ARTICLE 370 PDF about the indian constitution.ARTICLE 370 PDF about the indian constitution.
ARTICLE 370 PDF about the indian constitution.
 
Hely-Hutchinson v. Brayhead Ltd .pdf
Hely-Hutchinson v. Brayhead Ltd .pdfHely-Hutchinson v. Brayhead Ltd .pdf
Hely-Hutchinson v. Brayhead Ltd .pdf
 
Elective Course on Forensic Science in Law
Elective Course on Forensic Science in LawElective Course on Forensic Science in Law
Elective Course on Forensic Science in Law
 
一比一原版(Monash毕业证书)澳洲莫纳什大学毕业证如何办理
一比一原版(Monash毕业证书)澳洲莫纳什大学毕业证如何办理一比一原版(Monash毕业证书)澳洲莫纳什大学毕业证如何办理
一比一原版(Monash毕业证书)澳洲莫纳什大学毕业证如何办理
 
一比一原版(USC毕业证书)南加州大学毕业证学位证书
一比一原版(USC毕业证书)南加州大学毕业证学位证书一比一原版(USC毕业证书)南加州大学毕业证学位证书
一比一原版(USC毕业证书)南加州大学毕业证学位证书
 
一比一原版赫尔大学毕业证如何办理
一比一原版赫尔大学毕业证如何办理一比一原版赫尔大学毕业证如何办理
一比一原版赫尔大学毕业证如何办理
 
Career As Legal Reporters for Law Students
Career As Legal Reporters for Law StudentsCareer As Legal Reporters for Law Students
Career As Legal Reporters for Law Students
 
Philippine FIRE CODE REVIEWER for Architecture Board Exam Takers
Philippine FIRE CODE REVIEWER for Architecture Board Exam TakersPhilippine FIRE CODE REVIEWER for Architecture Board Exam Takers
Philippine FIRE CODE REVIEWER for Architecture Board Exam Takers
 
一比一原版(Griffith毕业证书)格里菲斯大学毕业证如何办理
一比一原版(Griffith毕业证书)格里菲斯大学毕业证如何办理一比一原版(Griffith毕业证书)格里菲斯大学毕业证如何办理
一比一原版(Griffith毕业证书)格里菲斯大学毕业证如何办理
 
ASMA JILANI EXPLAINED CASE PLD 1972 FOR CSS
ASMA JILANI EXPLAINED CASE PLD 1972 FOR CSSASMA JILANI EXPLAINED CASE PLD 1972 FOR CSS
ASMA JILANI EXPLAINED CASE PLD 1972 FOR CSS
 
一比一原版(MelbourneU毕业证书)墨尔本大学毕业证学位证书
一比一原版(MelbourneU毕业证书)墨尔本大学毕业证学位证书一比一原版(MelbourneU毕业证书)墨尔本大学毕业证学位证书
一比一原版(MelbourneU毕业证书)墨尔本大学毕业证学位证书
 
一比一原版(KPU毕业证书)加拿大昆特兰理工大学毕业证如何办理
一比一原版(KPU毕业证书)加拿大昆特兰理工大学毕业证如何办理一比一原版(KPU毕业证书)加拿大昆特兰理工大学毕业证如何办理
一比一原版(KPU毕业证书)加拿大昆特兰理工大学毕业证如何办理
 
一比一原版(KPU毕业证书)昆特兰理工大学毕业证如何办理
一比一原版(KPU毕业证书)昆特兰理工大学毕业证如何办理一比一原版(KPU毕业证书)昆特兰理工大学毕业证如何办理
一比一原版(KPU毕业证书)昆特兰理工大学毕业证如何办理
 
Reason Behind the Success of Law Firms in India
Reason Behind the Success of Law Firms in IndiaReason Behind the Success of Law Firms in India
Reason Behind the Success of Law Firms in India
 
Navigating Employment Law - Term Project.pptx
Navigating Employment Law - Term Project.pptxNavigating Employment Law - Term Project.pptx
Navigating Employment Law - Term Project.pptx
 
一比一原版(纽大毕业证书)美国纽约大学毕业证如何办理
一比一原版(纽大毕业证书)美国纽约大学毕业证如何办理一比一原版(纽大毕业证书)美国纽约大学毕业证如何办理
一比一原版(纽大毕业证书)美国纽约大学毕业证如何办理
 
一比一原版(Warwick毕业证书)华威大学毕业证如何办理
一比一原版(Warwick毕业证书)华威大学毕业证如何办理一比一原版(Warwick毕业证书)华威大学毕业证如何办理
一比一原版(Warwick毕业证书)华威大学毕业证如何办理
 
一比一原版(Carleton毕业证书)加拿大卡尔顿大学毕业证如何办理
一比一原版(Carleton毕业证书)加拿大卡尔顿大学毕业证如何办理一比一原版(Carleton毕业证书)加拿大卡尔顿大学毕业证如何办理
一比一原版(Carleton毕业证书)加拿大卡尔顿大学毕业证如何办理
 
一比一原版(JCU毕业证书)詹姆斯库克大学毕业证如何办理
一比一原版(JCU毕业证书)詹姆斯库克大学毕业证如何办理一比一原版(JCU毕业证书)詹姆斯库克大学毕业证如何办理
一比一原版(JCU毕业证书)詹姆斯库克大学毕业证如何办理
 

The Legal Case for Cybersecurity - SecureWorld Denver 2017 (Lunch Keynote)

  • 1. The Legal Case for Cybersecurity Shawn E. Tuma Cybersecurity & Data Privacy Attorney Scheef & Stone, LLP
  • 2. A smart man learns from his mistakes. A wise man learns from the mistakes of others. A fool never learns.
  • 3.
  • 4. “Cybersecurity is no longer just an IT issue—it is an overall business risk issue.”
  • 5. “Security and IT protect companies’ data; Legal protects companies from their data.”
  • 6. Legal obligations. ▪ Types ▪ Security ▪ Privacy ▪ Unauthorized Access ▪ International Laws ▪ Privacy Shield ▪ GDPR ▪ Federal Laws & Regs. ▪ HIPAA, GLBA, FERPA ▪ FTC, FCC, SEC ▪ State Laws ▪ 48 states (AL & SD) ▪ NYDFS & Colorado FinServ ▪ Industry Groups ▪ PCI, FINRA, etc. ▪ Contracts ▪ 3rd Party Bus. Assoc. ▪ Data Security Addendum
  • 7. Real-world threats. • 63% confirmed breaches from weak, default, or stolen passwords • Data is lost over 100x more than stolen • Phishing used most to install malware Easily Avoidable Breaches 90% in 2014 91% in 2015 91% in 2016 (90% from email) Easily Avoidable Breaches 90% in 2014 91% in 2015 91% in 2016 (90% from email)
  • 8. Common cybersecurity best practices. 1. Risk assessment. 2. Policies and procedures focused on cybersecurity. • Social engineering, password, security questions 3. Training of all workforce. 4. Phish all workforce (esp. leadership). 5. Signature based antivirus and malware detection. 6. Access controls. 7. Security updates and patch management. 8. Multi-factor authentication. 9. Backups segmented offline and redundant. 10. No outdated or unsupported software. 11. Incident response plan. 12. Encrypt sensitive and air-gap hypersensitive data. 13. Adequate logging and retention. 14. Third-party security risk assessment & management. 15. Intrusion detection and intrusion prevention systems.
  • 9. Does your company have reasonable cybersecurity? 1. Risk assessment. 2. Policies and procedures focused on cybersecurity. • Social engineering, password, security questions 3. Training of all workforce. 4. Phish all workforce (esp. leadership). 5. Signature based antivirus and malware detection. 6. Access controls. 7. Security updates and patch management. 8. Multi-factor authentication. 9. Backups segmented offline and redundant. 10. No outdated or unsupported software. 11. Incident response plan. 12. Encrypt sensitive and air-gap hypersensitive data. 13. Adequate logging and retention. 14. Third-party security risk assessment & management. 15. Intrusion detection and intrusion prevention systems. In re Target Data Security Breach Litigation, (Fin. Inst.) (Dec. 2, 2014) F.T.C. v. Wyndham Worldwide Corp., 299 F.3d 236 (3rd Cir. Aug. 24, 2015)
  • 10. Does your company have reasonable cybersecurity? 1. Risk assessment. 2. Policies and procedures focused on cybersecurity. • Social engineering, password, security questions 3. Training of all workforce. 4. Phish all workforce (esp. leadership). 5. Signature based antivirus and malware detection. 6. Access controls. 7. Security updates and patch management. 8. Multi-factor authentication. 9. Backups segmented offline and redundant. 10. No outdated or unsupported software. 11. Incident response plan. 12. Encrypt sensitive and air-gap hypersensitive data. 13. Adequate logging and retention. 14. Third-party security risk assessment & management. 15. Intrusion detection and intrusion prevention systems. In re Target Data Security Breach Litigation, (Fin. Inst.) (Dec. 2, 2014) F.T.C. v. Wyndham Worldwide Corp., 299 F.3d 236 (3rd Cir. Aug. 24, 2015)
  • 11. Does your company have adequate internal network controls? 1. Risk assessment. 2. Policies and procedures focused on cybersecurity. • Social engineering, password, security questions 3. Training of all workforce. 4. Phish all workforce (esp. leadership). 5. Signature based antivirus and malware detection. 6. Access controls. 7. Security updates and patch management. 8. Multi-factor authentication. 9. Backups segmented offline and redundant. 10. No outdated or unsupported software. 11. Incident response plan. 12. Encrypt sensitive and air-gap hypersensitive data. 13. Adequate logging and retention. 14. Third-party security risk assessment & management. 15. Intrusion detection and intrusion prevention systems. F.T.C. v. LabMD, (July 2016 FTC Commission Order)
  • 12. Does your company have written policies and procedures focused on cybersecurity? 1. Risk assessment. 2. Policies and procedures focused on cybersecurity. • Social engineering, password, security questions 3. Training of all workforce. 4. Phish all workforce (esp. leadership). 5. Signature based antivirus and malware detection. 6. Access controls. 7. Security updates and patch management. 8. Multi-factor authentication. 9. Backups segmented offline and redundant. 10. No outdated or unsupported software. 11. Incident response plan. 12. Encrypt sensitive and air-gap hypersensitive data. 13. Adequate logging and retention. 14. Third-party security risk assessment & management. 15. Intrusion detection and intrusion prevention systems. SEC v. R.T. Jones Capital, Consent Order (Sept. 22, 2015)
  • 13. Does your company have a written cybersecurity incident response plan? 1. Risk assessment. 2. Policies and procedures focused on cybersecurity. • Social engineering, password, security questions 3. Training of all workforce. 4. Phish all workforce (esp. leadership). 5. Signature based antivirus and malware detection. 6. Access controls. 7. Security updates and patch management. 8. Multi-factor authentication. 9. Backups segmented offline and redundant. 10. No outdated or unsupported software. 11. Incident response plan. 12. Encrypt sensitive and air-gap hypersensitive data. 13. Adequate logging and retention. 14. Third-party security risk assessment & management. 15. Intrusion detection and intrusion prevention systems. SEC v. R.T. Jones Capital, Consent Order (Sept. 22, 2015)
  • 14. Does your company manage third-party cyber risk? 1. Risk assessment. 2. Policies and procedures focused on cybersecurity. • Social engineering, password, security questions 3. Training of all workforce. 4. Phish all workforce (esp. leadership). 5. Signature based antivirus and malware detection. 6. Access controls. 7. Security updates and patch management. 8. Multi-factor authentication. 9. Backups segmented offline and redundant. 10. No outdated or unsupported software. 11. Incident response plan. 12. Encrypt sensitive and air-gap hypersensitive data. 13. Adequate logging and retention. 14. Third-party security risk assessment & management. 15. Intrusion detection and intrusion prevention systems. In re GMR Transcription Svcs, Consent Order (Aug. 14, 2014)
  • 15. How mature is your company’s cyber risk management program? “GMR Transcription Services, Inc. . . . Shall . . . establish and implement, and thereafter maintain, a comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers. Such program, the content and implementation of which must be fully documented in writing, shall contain administrative, technical, and physical safeguards appropriate to respondents’ or the business entity’s size and complexity, the nature and scope of respondents’ or the business entity’s activities, and the sensitivity of the personal information collected from or about consumers” In re GMR Transcription Svcs, Consent Order (Aug. 14, 2014)
  • 16. NYDFS Cybersecurity Regulation • All NY “financial institutions” + third party service providers. • Third party service providers – examine, obligate, audit. • Establish Cybersecurity Program (w/ specifics): • Logging, Data Classification, IDS, IPS; • Pen Testing, Vulnerability Assessments, Risk Assessment; and • Encryption, Access Controls. • Adopt Cybersecurity Policies. • Designate qualified CISO to be responsible. • Adequate cybersecurity personnel and intelligence. • Personnel Policies & Procedures, Training, Written IRP. • Chairman or Senior Officer Certify Compliance.
  • 17. EU General Data Protection Regulation (GDPR) • Goal: Protect data subjects residing in EU from privacy and data breaches. • When: May 25, 2018. • Reach: Applies to all companies (controllers and processors): • Processing data of EU residents (regardless of where processing), • In the EU (regardless of where processing), or • Offering goods or servcs to data subjects in EU or monitoring behavior in EU. • Penalties: up to 4% global turnover or €20 Million (whichever is greater). • Remedies: data subjects have judicial remedies, right to damages. • Data subject rights: • Breach notification – 72 hrs to DPA; “without undue delay” to data subjects. • Right to access – provide confirmation of processing and electronic copy (free). • Data erasure – right to be forgotten, erase, cease dissemination or processing. • Data portability – receive previously provided data in common format. • Privacy by design – include data protection in the designing systems.
  • 18. How mature is your company’s Cybersecurity Risk Management Program?
  • 20. “You don’t drown by falling in the water; You drown by staying there.” – Edwin Louis Cole
  • 21. • Board of Directors & General Counsel, Cyber Future Foundation • Board of Advisors, North Texas Cyber Forensics Lab • Policy Council, National Technology Security Coalition • Cybersecurity Task Force, Intelligent Transportation Society of America • Cybersecurity & Data Privacy Law Trailblazers, National Law Journal (2016) • SuperLawyers Top 100 Lawyers in Dallas (2016) • SuperLawyers 2015-16 (IP Litigation) • Best Lawyers in Dallas 2014-16, D Magazine (Digital Information Law) • Council, Computer & Technology Section, State Bar of Texas • Privacy and Data Security Committee of the State Bar of Texas • College of the State Bar of Texas • Board of Directors, Collin County Bench Bar Conference • Past Chair, Civil Litigation & Appellate Section, Collin County Bar Association • Information Security Committee of the Section on Science & Technology Committee of the American Bar Association • North Texas Crime Commission, Cybercrime Committee & Infragard (FBI) • International Association of Privacy Professionals (IAPP) Shawn Tuma Cybersecurity Attorney Scheef & Stone, L.L.P. 214.472.2135 shawn.tuma@solidcounsel.com @shawnetuma blog: www.shawnetuma.com web: www.solidcounsel.com