PANELISTS:

SESSIONID: LAW W04

JohnSmith
VicePresident,
Legal Cybersecurity&Privacy
TouringtheWorldof Raytheon

CybersecurityLaw MichaelSulmeyer
Director,CyberSecurityProject
BelferCenterforScienceand
InternationalAffairs
HarvardKennedySchoolofGovernment
MODERATOR: AlanCharlesRaul
Partner
SidleyAustinLLP
#RSAC Datamatters.sidley.com
Overviewand #RSAC

HowtoApplyTodaysDiscussion

Introduction
InternationalLaw&Policy
NationalLaw
PanelDiscussion
Analysis
Application
Q&A

2
 #RSAC

Introduction

Whygovernanceofcyberspaceisdifferentandhard andfascinating!
Cyberspace'sreachacrossgeopoliticalboundariesdefiestraditionalgovernance.
Whohasauthoritytomakethelaw?
Whatistheapplicablelaw?
Whohasthepowertoenforceit?
Codependencyofpublicandprivatesectors:govtduty,butmostlyprivateassets
Differentsetsofrulestoprotectsystems anddata types
CriticalInfrastructure
ProprietaryInformation
PersonalData
Challengesofanonymity andattribution

3
 #RSAC

InternationalLaw&Policy

4
 #RSAC

CouncilofEurope CybercrimeConvention

Nosingleinternationalframeworkforcybersecuritylaw,butsome
multilateralefforts
BudapestConventiononCybercrime(2001)
CouncilofEuropesefforttoharmonizedisparatenationalcybercrimelaws.
Signatoriespromiseto:
Adoptdomesticlegislationtoestablishproceduresoutlinedintreaty(e.g.,expedited
preservation,searchandseizure,interceptionofcomputerdata).
Cooperatethroughmutuallegalassistance(MLA)evenifnomorespecificagreement
(e.g.,extradition,accessingcomputerdata,interception).
Prosecutecybercrimescommittedonitsterritory

5
 #RSAC

EU CybersecurityFramework

EUNetworkandInformationSecurity(NIS)Directive
InJanuary2016,EUParliamentapprovedNISDirective,proposedin2013EU
CyberSecurityStrategy.ExpectformalapprovalbyCouncilofMinisters,then
EUcountriesmustimplementintonationallawwithin21months.

PRIVACY ProposedEUGeneralDataProtectionRegulation
ExtraterritorialApplicationandEnforcement. Newlawwouldapplytoanycompany
thatcontrolsorprocessesthepersonaldataofEuropeansthroughtheofferingof
goodsandservices evenifcompanyhasnophysicalpresenceinEurope.

Fines ofupto4%ofcompanysannualglobalrevenueor20millionforviolations

6
 #RSAC

NationalCybersecurityLaw

7
 #RSAC

UnitedStatesCybersecurityLaw

Cybersecuritylegalparametersarisefrommultiplelayersandsources.
Federal law
ComputerFraudandAbuseActprohibitsunauthorizedcomputeraccess,
interference,obtainingdata
ElectronicCommunicationsPrivacyActgovernsinterception,accesstodata
Statelaw fillsgapsinfederallaw,butcansetdefacto nationalstandards
Example:Massachusetts databreachrequirementtriggeredbya(1)substantialriskof
identitytheftorfraud(2)ORacquisitionoruseforanunauthorizedpurpose
CompanieshandlingsensitivepersonaldatamusthaveWrittenInformationSecurityPolicy;
encryptionofpersonaldatatransmittedexternally;andspecificminimumadministrative,
technical,andphysicalsecuritycontrols.

8
 #RSAC
U.S.CybersecurityLaw
CriticalInfrastructureandInformationSharing

EnhancingcybersecurityforcriticalinfrastructurehasbeenakeyfocusoftheObama
administration.
February2013:ExecutiveOrder13636
Identifies16criticalinfrastructureareas
Regulatorsdirectedtoreviewexistingauthoritiesandacttoimprovecybersecurityamong
regulatedentities
February2014:NISTreleasesCybersecurityFrameworkandCICyberCommunity(C)

CybersecurityActof2015:
InformationSharingthroughDHSPortal. Establishesavoluntary frameworkfor
confidential,twowaysharingofcyberthreatinformationbetweenprivatesectorand
U.S.government,viaaDepartmentofHomelandSecurityportal; offersprotectionfrom
liabilityforsharing.

9
 #RSAC
U.S.CybersecurityLaw
ProtectingPersonalInformation

Companieshavegenerallyapplicablelegalobligationstoprotectpersonalinformation.
DataSecurity:Massachusettsdatasecuritylawrequiresspecificaffirmativeacts
DataBreachNotification:Statelawsgenerallyrequirealertstostateregulatorsandimpacted
individualsifbreachinvolvingpersonaldata.
Companiesmaynotmakedeceptivedatasecurityclaimsorengageinunfairdata
securitypractices. PolicedbyFederalTradeCommissionandstateregulators.
Incertainsectors,specificlawsimposeadditionallayerofsecuritydutiesforcertain
categoriesofsensitivepersonaldata.
FinancialServices:GrammLeachBlileyAct(NonpublicPersonalInformation,NPI)
Healthcare: HIPAA (ProtectedHealthInformation,PHIandePHI)
TelecommunicationsCarriers: CommunicationsAct(CustomerProprietaryNetwork
Information,CPNI)

10
 #RSAC

CanadaCybersecurityLaw

CriminalCode
Prohibitsfraudulentlyandwithoutcolorofrightobtaininganycomputerservice;or
willfulmischieftointerferewithcomputeruseortamperwithdata.
Prohibitsinterception,accesstoelectroniccommunications,butexceptionsforconsent
(expressorimplied)ortoprotectthenetwork.

PersonalInformationProtection&ElectronicDocumentsAct(PIPEDA) (2005)
Reasonableadministrative,technical,physicalmeasurestoprotectpersonaldata.

Enforcement
Entities:OfficeofthePrivacyCommissionerofCanadaenforcesPIPEDA
Risk:highdegreeofprivacyenforcement,deemedadequatecountrybyEU

11
 #RSAC

UnitedKingdomCybersecurityLaw

ComputerMisuseActof1990(Amendedin2006)
Prohibitshacking,unauthorisedaccesstocomputersystems,andpurposefullyspreading
malware.
Enforcement
UKICOcanissueanEnforcementNoticeforbreachofthedataprotectionprinciplesinthe
UKDataProtectionActof1998.(ThiswillchangeGDPR in2018.)
Staysure.com.uk(2015): Fineof175,000onholidayinsurancecompanyforinadequate
securitysystemsandpolicy,causingbreachofcreditcarddataof90,000+customers
WorldviewLimited(2014): Fineof7,500forvulnerabilityincompanyswebsite,enabling
hackerstoaccesspaymentcarddataof3,500+customers

12
 #RSAC

FrenchCybersecurityLaw

FrenchDataProtectionAct
Omnibusprivacy,dataprotection,andcybersecurityframeworklaw
Enforcement
InMay2015,theCNIL issuedasummaryofitsinspectionprogramfor2015.
2014:CNILconducted421inspections
2015:CNILplannedtoconduct550inspections
OpticalCenter(2015):Fined50,000bytheCNILforinadequatesecurityof
customerspersonaldata(vulnerablecustomerloginsite,weakpasswords).

13
 #RSAC

GermanCybersecurityLaw

FederalDataProtectionAct(BDSG)
ITSecurityAct(ITSG)(2015) criticalinfrastructureoperatorsmust:
EstablishandImplementaminimumsetofsecuritymeasures;
Verifyimplementationbyconductingsecurityaudits;
ReportincidentstoFederalOfficeforInformationSecurity(BSI).
TelecommunicationsAct(2014)containssectorspecificdatasecurityprovisions.
Forexample,section109 requirestheuseoftechnicalsafeguardstoprevent
unauthorizedaccess.
Enforcement:
ImproperDataProcessingAgreement(BavarianDPA,2015)
Imposedbigfineondatacontrollerforfailuretoadequatelyspecifysecuritycontrols
toprotectpersonaldatainagreementwithdataprocessor.

14
 #RSAC

EstonianCybersecurityLaw

NationalDepartmentofCriticalInfrastructureProtection
CoordinatesITsecurityfor42criticalpublicandprivateservices
EstonianInformationSystemsAuthority(EISA)
AssistsandsupervisespublicandprivatesectororganizationswithITsecurity.
ResponsibleforencryptionofelectronicIDsissuedtoEstoniancitizensandbusinesses.
DataProtectionInspectorate
Allowsthepublictorequestinfoaboutcollectionofpersonaldata;promotes
transparencyofinstitutionsperformingpublicfunctions.
NationalCERT(CERTEE)
Handlessecurityincidentsonthe.ee domain(denialofserviceattacks,malware)

15
 #RSAC

ChineseCybersecurityLaw

Nocomprehensivecybersecuritylaw
DraftCybersecurityLaw (July2015)wouldconsolidateexistingpowers,includingmonitoring,and
introducesconceptofCriticalInformationInfrastructure
AntiterrorismLaw(effectiveJanuary2016)
RequirestelecomoperatorsandInternetcompaniestoprovidetechnicalinterfaces,decryption
andothertechnicalsupportandassistancetoChinasgovernmentinvestigatingterrorist
activities,broadlydefined.Omitscontroversialdraftlanguagerequiringdatalocalizationand
encryptionkeyregistrationbyforeigntechcompanies.
NationalSecurityLaw (July2015)
Governmenttoensurethatkeytechnologiesandinfrastructure,aswellasinformationsystemsand
datainimportantareas,aresafeandcontrollable,soastoprotectnationalsovereignty,security
anddevelopmentinterestsinthecyberspace.
ComputerInformationNetworkandInternetSecurity,Protection,and
ManagementRegulations
Internetserviceprovidersmustsecureprocessingofdata,educateInternetusersonsecurity.

16
 #RSAC

JapaneseCybersecurityLaw
CriminalCode,andActontheProhibitionofUnauthorizedComputerAccess(UCAL):
Prohibitcomputerfraud,malware,spyware,obstructingbusinessbyinterfering,falsedata,
unauthorizedcomputeraccess.

ActontheProtectionofPersonalInformation(APPI):dutyofcompaniestosecurepersonal
datatheyhandle
Enforcement
Entities:NOcentraldataprotectionauthorityinJapan.APPIenforcedbytheministryresponsiblefor
oversightofthesectorcontainingthecompanyatissue
Risk:
HighriskifviolationsofCriminalCode,orUCAL
Moderateriskifprivacyviolations
Whenrelevantministrylearnsofacompanysviolation,ministryfirstcontactscompanyinformallyto
discussproblem,changes.Lowriskofformalenforcement,unlessfailtoimplementthosechanges.
Benesse (2014): after,breachaffected35millioncustomers,theMinistryofEconomy,Trade,andIndustry
directedcompanytochangecontractswithsubsandownmanagementandsecuritycontrols.

17
 #RSAC

SouthKoreanCybersecurityLaw
ActontheProtectionofInformationandCommunicationsInfrastructure
InformationandCommunicationsNetworkAct detailedsecuritystandardsforservice
providers
PersonalInformationProtectionAct(PIPA)
Oneofstrictestprivacyregimesinworld:breachdamagesawardedupto3xactualharmclaimed
Imposessecurityrequirementsonentitieshandlingpersonaldata

BreachNotificationRequired
PIPA andsectoralstatutesrequirepromptnoticeofpersonaldatabreachtoindividualsandregulators

Enforcement
Risk:highifprivacyviolations
Google(2014): Fined~$200Kforharvestingsensitivepersonaldatafromwifi networksw/oconsent

18
 #RSAC

IndianCybersecurityLaw

IndiasInformationTechnologyActof2000(ITAct) addressestheprotectionof
electronicdataandcomputerrelatedoffenses(e.g.,hackingandtamperingwith
computersourcedocuments)
Under2008amendments,ITActdoesnotcriminalizehacking,butprohibitscomputer
relatedfraudandtamperingwithcomputersourcedocuments.
InformationTechnology(ReasonableSecurityPracticesandProceduresand
SensitivePersonalDataorInformation)Rules PrivacyRules
Together,ITActandPrivacyRules imposecyberrequirementsoncompanies.
ReasonableSecurityPracticesinterpretedasoperationofdocumented,
comprehensiveinformationsecurityprogram,policies,andprocedures
Partiescanspecifyreasonablesecuritypracticesincontract.

19
 #RSAC

SingaporeCybersecurityLaw

ComputerMisuseandCybersecurityActgovernscybercrime.
Unauthorizedaccesstoormodificationofcomputermaterial;
Unauthorizeduseorinterceptionofacomputerservice;
2013Amendmentsaddresscyberthreatstocriticalinformationinfrastructure
MinisterofHomeAffairscandirectcompaniestotakepreemptivemeasures
necessarytoprevent,detect,orcounteranycyberthreattonationalsecurity,
essentialservices,orforeignrelationsofSingapore.
PersonalDataProtectionAct2012 isSingaporesfirstcomprehensive
frameworkforpersonaldataprotection.
Individualsandorganizationsmustprotectpersonaldatawithreasonablesecurity
arrangementstopreventunauthorizedaccessorsimilarrisks.

20
 #RSAC

AustraliaCybersecurityLaw
Telecommunications(InterceptionandAccess)Act1979
MayinterceptdataifonepartyconsentsORifownerperformingnetworksecurityandinformsemployees
Employermaymonitoremployeespersonaldatatoo,ifsufficientnexustoEErecord/relationship+ informemployees

PrivacyAct1998(amended2014)
Exemptionforemployeractionsdirectlyconnectedtoemployeerecord/relationship
Reasonablestepstoprotectpersonaldata(databreachpolicy,incidentresponseplan)
Nogeneraldatabreachnoticemandate,butisrequiredinhealthandfinancialsectors

Enforcement
Entities: AustralianInformationCommissionerandthePrivacyCommissioner
MakesdeterminationsonallegedbreachesofPrivacyAct,enforceablebycourt
Risk: higher since2014,newpowerforPrivacyCommissioner:penalties,enforceableorder
Maximumcivilpenaltyforprivacyviolations:AU$1.7millionforcompanies
Adobe(2015):AICfoundAdobeshandlingofcustomerpasswordhintsviolatedPrivacyAct;recommendedsecuritychanges

21
 #RSAC

UAECybersecurityLaw
CyberCrimesLaw:
2012Amendmentsexpandscopeofoffenses,definitionofprivacyviolationsand
monetarypenaltiesandpunishment
Offenses:Strictliabilitystandardforunauthorizedaccesstoelectronicsitesand
information;nointentrequired.
Penalties:Increasewithperceivedsensitivityofdataaccessedordisclosed.Many
violationsentailimprisonmentordeportation.
Nocomprehensivedataprotectionlaw
TelecommunicationsRegulatoryAuthority
Overseestelecommunications,informationtechnology,andInternetregulation
NationalCERT(aeCERT)
Providesincidentresponsesupportandcybersecurityawarenesstraining

22
 #RSAC

PanelDiscussion

23
 #RSAC

Analysis:TensionsinGlobalCyberspace
TherapidgrowthoftheInternetandsophisticationofcybercrimecontinuestooutpacetheabilityofthelegal
systemtorespond. Theattributionproblemmakespolicingandaccountabilityparticularlydifficult.
Cyberassetsaredistributedbetweenthepublicsectorandprivatesector,andtheprivatesectoriscomprisedofa
widerangeofdisparateentities.
Thereisalackofinternationalcoordinationoncyberissues.Asaresult,thereisnocentralizedinternationalcyber
threatinformationsharingorcommoncomputerincidentresponseteams.
Differentvaluesamongcountries;differentlevelsofpreparedness;differentdegreesofinterestandrisks.
Companiesandgovernmentsfaceoverlappingandconflictingsetsoflaws:
Harmonizationvs.divergenceofregionalandnationallaws
Personaldatalawsandsystem/infrastructureobligationsarenotintegratedorreconciled
Quality ofcompany'scybersecuritydependsinpartonvisibilityintotrafficonitsownnetwork,butsuchinsightcan
beintensionwithculturalandsometimeslegalbarrierstoelectronicmonitoringofemployees.
Approachtoimplementation:marketdrivenvs.regulatory
Governance:governmentcentricvs.multistakeholder

24
 #RSAC

Analysis:RegionalisminLawandPolicy

Prominenceofregionalism reflectedinemergenceofinternationalandregionalcybersecurityinstruments

Instrumentsdevelopedinthecontextof,orinspiredby:
CouncilofEuropeortheEuropeanUnion
CommonwealthofIndependentStatesortheShanghaiCooperationOrganization
intergovernmentalAfricanorganizations
LeagueofArabStates
UnitedNations

Substantialcrossfertilizationexistsamongallinstruments
Example:conceptsintheBudapestConventiononCybercrime byCouncilofEurope.

Trend:regionalandnationalincorporationoftreatybasedcybersecuritylegalregimes

25
 #RSAC

ApplyingWhatYouveLearned
Nextweek, youshould:
Meetyourcyberlawyer;begintalkingaboutlegalaspectsofmanagingcyberrisks
Beginidentifyingandmappingregional,national,andsubnationalcyberlegalrules,whereveryoudobusiness

Inthenext6months,youshould:
Conductacyberlegalassessmenttodeterminevulnerabilities,risks,andresources
Develop,update,andmaintainwrittenpoliciesandprocedures,includingongovernancebyBoardofDirectors.
Identifythecybersecuritytoolsandservicesusedbyyourcompany;learnhowtheyworkandhandledata;andthen
analyzethemagainstcurrentlawineachjurisdictionwhereyourcompanyusesthem.

BeforenextyearsRSAconference,youshould:
Developandmaintaincybersecuritytrainingprogramsforemployeesandcontractors
Deployinformationsecuritysafeguardsforvendors/serviceproviders,includingreportingandduediligence
Regularlytestandupdateallassessments,safeguards,andprotocols

26
 #RSAC

Q&A

QuestionsandAnswers

27