Professional Documents
Culture Documents
CybersecurityLaw MichaelSulmeyer
Director,CyberSecurityProject
BelferCenterforScienceand
InternationalAffairs
HarvardKennedySchoolofGovernment
MODERATOR: AlanCharlesRaul
Partner
SidleyAustinLLP
#RSAC Datamatters.sidley.com
Overviewand #RSAC
HowtoApplyTodaysDiscussion
Introduction
InternationalLaw&Policy
NationalLaw
PanelDiscussion
Analysis
Application
Q&A
2
#RSAC
Introduction
Whygovernanceofcyberspaceisdifferentandhard andfascinating!
Cyberspace'sreachacrossgeopoliticalboundariesdefiestraditionalgovernance.
Whohasauthoritytomakethelaw?
Whatistheapplicablelaw?
Whohasthepowertoenforceit?
Codependencyofpublicandprivatesectors:govtduty,butmostlyprivateassets
Differentsetsofrulestoprotectsystems anddata types
CriticalInfrastructure
ProprietaryInformation
PersonalData
Challengesofanonymity andattribution
3
#RSAC
InternationalLaw&Policy
4
#RSAC
CouncilofEurope CybercrimeConvention
Nosingleinternationalframeworkforcybersecuritylaw,butsome
multilateralefforts
BudapestConventiononCybercrime(2001)
CouncilofEuropesefforttoharmonizedisparatenationalcybercrimelaws.
Signatoriespromiseto:
Adoptdomesticlegislationtoestablishproceduresoutlinedintreaty(e.g.,expedited
preservation,searchandseizure,interceptionofcomputerdata).
Cooperatethroughmutuallegalassistance(MLA)evenifnomorespecificagreement
(e.g.,extradition,accessingcomputerdata,interception).
Prosecutecybercrimescommittedonitsterritory
5
#RSAC
EU CybersecurityFramework
EUNetworkandInformationSecurity(NIS)Directive
InJanuary2016,EUParliamentapprovedNISDirective,proposedin2013EU
CyberSecurityStrategy.ExpectformalapprovalbyCouncilofMinisters,then
EUcountriesmustimplementintonationallawwithin21months.
PRIVACY ProposedEUGeneralDataProtectionRegulation
ExtraterritorialApplicationandEnforcement. Newlawwouldapplytoanycompany
thatcontrolsorprocessesthepersonaldataofEuropeansthroughtheofferingof
goodsandservices evenifcompanyhasnophysicalpresenceinEurope.
Fines ofupto4%ofcompanysannualglobalrevenueor20millionforviolations
6
#RSAC
NationalCybersecurityLaw
7
#RSAC
UnitedStatesCybersecurityLaw
Cybersecuritylegalparametersarisefrommultiplelayersandsources.
Federal law
ComputerFraudandAbuseActprohibitsunauthorizedcomputeraccess,
interference,obtainingdata
ElectronicCommunicationsPrivacyActgovernsinterception,accesstodata
Statelaw fillsgapsinfederallaw,butcansetdefacto nationalstandards
Example:Massachusetts databreachrequirementtriggeredbya(1)substantialriskof
identitytheftorfraud(2)ORacquisitionoruseforanunauthorizedpurpose
CompanieshandlingsensitivepersonaldatamusthaveWrittenInformationSecurityPolicy;
encryptionofpersonaldatatransmittedexternally;andspecificminimumadministrative,
technical,andphysicalsecuritycontrols.
8
#RSAC
U.S.CybersecurityLaw
CriticalInfrastructureandInformationSharing
EnhancingcybersecurityforcriticalinfrastructurehasbeenakeyfocusoftheObama
administration.
February2013:ExecutiveOrder13636
Identifies16criticalinfrastructureareas
Regulatorsdirectedtoreviewexistingauthoritiesandacttoimprovecybersecurityamong
regulatedentities
February2014:NISTreleasesCybersecurityFrameworkandCICyberCommunity(C)
CybersecurityActof2015:
InformationSharingthroughDHSPortal. Establishesavoluntary frameworkfor
confidential,twowaysharingofcyberthreatinformationbetweenprivatesectorand
U.S.government,viaaDepartmentofHomelandSecurityportal; offersprotectionfrom
liabilityforsharing.
9
#RSAC
U.S.CybersecurityLaw
ProtectingPersonalInformation
Companieshavegenerallyapplicablelegalobligationstoprotectpersonalinformation.
DataSecurity:Massachusettsdatasecuritylawrequiresspecificaffirmativeacts
DataBreachNotification:Statelawsgenerallyrequirealertstostateregulatorsandimpacted
individualsifbreachinvolvingpersonaldata.
Companiesmaynotmakedeceptivedatasecurityclaimsorengageinunfairdata
securitypractices. PolicedbyFederalTradeCommissionandstateregulators.
Incertainsectors,specificlawsimposeadditionallayerofsecuritydutiesforcertain
categoriesofsensitivepersonaldata.
FinancialServices:GrammLeachBlileyAct(NonpublicPersonalInformation,NPI)
Healthcare: HIPAA (ProtectedHealthInformation,PHIandePHI)
TelecommunicationsCarriers: CommunicationsAct(CustomerProprietaryNetwork
Information,CPNI)
10
#RSAC
CanadaCybersecurityLaw
CriminalCode
Prohibitsfraudulentlyandwithoutcolorofrightobtaininganycomputerservice;or
willfulmischieftointerferewithcomputeruseortamperwithdata.
Prohibitsinterception,accesstoelectroniccommunications,butexceptionsforconsent
(expressorimplied)ortoprotectthenetwork.
PersonalInformationProtection&ElectronicDocumentsAct(PIPEDA) (2005)
Reasonableadministrative,technical,physicalmeasurestoprotectpersonaldata.
Enforcement
Entities:OfficeofthePrivacyCommissionerofCanadaenforcesPIPEDA
Risk:highdegreeofprivacyenforcement,deemedadequatecountrybyEU
11
#RSAC
UnitedKingdomCybersecurityLaw
ComputerMisuseActof1990(Amendedin2006)
Prohibitshacking,unauthorisedaccesstocomputersystems,andpurposefullyspreading
malware.
Enforcement
UKICOcanissueanEnforcementNoticeforbreachofthedataprotectionprinciplesinthe
UKDataProtectionActof1998.(ThiswillchangeGDPR in2018.)
Staysure.com.uk(2015): Fineof175,000onholidayinsurancecompanyforinadequate
securitysystemsandpolicy,causingbreachofcreditcarddataof90,000+customers
WorldviewLimited(2014): Fineof7,500forvulnerabilityincompanyswebsite,enabling
hackerstoaccesspaymentcarddataof3,500+customers
12
#RSAC
FrenchCybersecurityLaw
FrenchDataProtectionAct
Omnibusprivacy,dataprotection,andcybersecurityframeworklaw
Enforcement
InMay2015,theCNIL issuedasummaryofitsinspectionprogramfor2015.
2014:CNILconducted421inspections
2015:CNILplannedtoconduct550inspections
OpticalCenter(2015):Fined50,000bytheCNILforinadequatesecurityof
customerspersonaldata(vulnerablecustomerloginsite,weakpasswords).
13
#RSAC
GermanCybersecurityLaw
FederalDataProtectionAct(BDSG)
ITSecurityAct(ITSG)(2015) criticalinfrastructureoperatorsmust:
EstablishandImplementaminimumsetofsecuritymeasures;
Verifyimplementationbyconductingsecurityaudits;
ReportincidentstoFederalOfficeforInformationSecurity(BSI).
TelecommunicationsAct(2014)containssectorspecificdatasecurityprovisions.
Forexample,section109 requirestheuseoftechnicalsafeguardstoprevent
unauthorizedaccess.
Enforcement:
ImproperDataProcessingAgreement(BavarianDPA,2015)
Imposedbigfineondatacontrollerforfailuretoadequatelyspecifysecuritycontrols
toprotectpersonaldatainagreementwithdataprocessor.
14
#RSAC
EstonianCybersecurityLaw
NationalDepartmentofCriticalInfrastructureProtection
CoordinatesITsecurityfor42criticalpublicandprivateservices
EstonianInformationSystemsAuthority(EISA)
AssistsandsupervisespublicandprivatesectororganizationswithITsecurity.
ResponsibleforencryptionofelectronicIDsissuedtoEstoniancitizensandbusinesses.
DataProtectionInspectorate
Allowsthepublictorequestinfoaboutcollectionofpersonaldata;promotes
transparencyofinstitutionsperformingpublicfunctions.
NationalCERT(CERTEE)
Handlessecurityincidentsonthe.ee domain(denialofserviceattacks,malware)
15
#RSAC
ChineseCybersecurityLaw
Nocomprehensivecybersecuritylaw
DraftCybersecurityLaw (July2015)wouldconsolidateexistingpowers,includingmonitoring,and
introducesconceptofCriticalInformationInfrastructure
AntiterrorismLaw(effectiveJanuary2016)
RequirestelecomoperatorsandInternetcompaniestoprovidetechnicalinterfaces,decryption
andothertechnicalsupportandassistancetoChinasgovernmentinvestigatingterrorist
activities,broadlydefined.Omitscontroversialdraftlanguagerequiringdatalocalizationand
encryptionkeyregistrationbyforeigntechcompanies.
NationalSecurityLaw (July2015)
Governmenttoensurethatkeytechnologiesandinfrastructure,aswellasinformationsystemsand
datainimportantareas,aresafeandcontrollable,soastoprotectnationalsovereignty,security
anddevelopmentinterestsinthecyberspace.
ComputerInformationNetworkandInternetSecurity,Protection,and
ManagementRegulations
Internetserviceprovidersmustsecureprocessingofdata,educateInternetusersonsecurity.
16
#RSAC
JapaneseCybersecurityLaw
CriminalCode,andActontheProhibitionofUnauthorizedComputerAccess(UCAL):
Prohibitcomputerfraud,malware,spyware,obstructingbusinessbyinterfering,falsedata,
unauthorizedcomputeraccess.
ActontheProtectionofPersonalInformation(APPI):dutyofcompaniestosecurepersonal
datatheyhandle
Enforcement
Entities:NOcentraldataprotectionauthorityinJapan.APPIenforcedbytheministryresponsiblefor
oversightofthesectorcontainingthecompanyatissue
Risk:
HighriskifviolationsofCriminalCode,orUCAL
Moderateriskifprivacyviolations
Whenrelevantministrylearnsofacompanysviolation,ministryfirstcontactscompanyinformallyto
discussproblem,changes.Lowriskofformalenforcement,unlessfailtoimplementthosechanges.
Benesse (2014): after,breachaffected35millioncustomers,theMinistryofEconomy,Trade,andIndustry
directedcompanytochangecontractswithsubsandownmanagementandsecuritycontrols.
17
#RSAC
SouthKoreanCybersecurityLaw
ActontheProtectionofInformationandCommunicationsInfrastructure
InformationandCommunicationsNetworkAct detailedsecuritystandardsforservice
providers
PersonalInformationProtectionAct(PIPA)
Oneofstrictestprivacyregimesinworld:breachdamagesawardedupto3xactualharmclaimed
Imposessecurityrequirementsonentitieshandlingpersonaldata
BreachNotificationRequired
PIPA andsectoralstatutesrequirepromptnoticeofpersonaldatabreachtoindividualsandregulators
Enforcement
Risk:highifprivacyviolations
Google(2014): Fined~$200Kforharvestingsensitivepersonaldatafromwifi networksw/oconsent
18
#RSAC
IndianCybersecurityLaw
IndiasInformationTechnologyActof2000(ITAct) addressestheprotectionof
electronicdataandcomputerrelatedoffenses(e.g.,hackingandtamperingwith
computersourcedocuments)
Under2008amendments,ITActdoesnotcriminalizehacking,butprohibitscomputer
relatedfraudandtamperingwithcomputersourcedocuments.
InformationTechnology(ReasonableSecurityPracticesandProceduresand
SensitivePersonalDataorInformation)Rules PrivacyRules
Together,ITActandPrivacyRules imposecyberrequirementsoncompanies.
ReasonableSecurityPracticesinterpretedasoperationofdocumented,
comprehensiveinformationsecurityprogram,policies,andprocedures
Partiescanspecifyreasonablesecuritypracticesincontract.
19
#RSAC
SingaporeCybersecurityLaw
ComputerMisuseandCybersecurityActgovernscybercrime.
Unauthorizedaccesstoormodificationofcomputermaterial;
Unauthorizeduseorinterceptionofacomputerservice;
2013Amendmentsaddresscyberthreatstocriticalinformationinfrastructure
MinisterofHomeAffairscandirectcompaniestotakepreemptivemeasures
necessarytoprevent,detect,orcounteranycyberthreattonationalsecurity,
essentialservices,orforeignrelationsofSingapore.
PersonalDataProtectionAct2012 isSingaporesfirstcomprehensive
frameworkforpersonaldataprotection.
Individualsandorganizationsmustprotectpersonaldatawithreasonablesecurity
arrangementstopreventunauthorizedaccessorsimilarrisks.
20
#RSAC
AustraliaCybersecurityLaw
Telecommunications(InterceptionandAccess)Act1979
MayinterceptdataifonepartyconsentsORifownerperformingnetworksecurityandinformsemployees
Employermaymonitoremployeespersonaldatatoo,ifsufficientnexustoEErecord/relationship+ informemployees
PrivacyAct1998(amended2014)
Exemptionforemployeractionsdirectlyconnectedtoemployeerecord/relationship
Reasonablestepstoprotectpersonaldata(databreachpolicy,incidentresponseplan)
Nogeneraldatabreachnoticemandate,butisrequiredinhealthandfinancialsectors
Enforcement
Entities: AustralianInformationCommissionerandthePrivacyCommissioner
MakesdeterminationsonallegedbreachesofPrivacyAct,enforceablebycourt
Risk: higher since2014,newpowerforPrivacyCommissioner:penalties,enforceableorder
Maximumcivilpenaltyforprivacyviolations:AU$1.7millionforcompanies
Adobe(2015):AICfoundAdobeshandlingofcustomerpasswordhintsviolatedPrivacyAct;recommendedsecuritychanges
21
#RSAC
UAECybersecurityLaw
CyberCrimesLaw:
2012Amendmentsexpandscopeofoffenses,definitionofprivacyviolationsand
monetarypenaltiesandpunishment
Offenses:Strictliabilitystandardforunauthorizedaccesstoelectronicsitesand
information;nointentrequired.
Penalties:Increasewithperceivedsensitivityofdataaccessedordisclosed.Many
violationsentailimprisonmentordeportation.
Nocomprehensivedataprotectionlaw
TelecommunicationsRegulatoryAuthority
Overseestelecommunications,informationtechnology,andInternetregulation
NationalCERT(aeCERT)
Providesincidentresponsesupportandcybersecurityawarenesstraining
22
#RSAC
PanelDiscussion
23
#RSAC
Analysis:TensionsinGlobalCyberspace
TherapidgrowthoftheInternetandsophisticationofcybercrimecontinuestooutpacetheabilityofthelegal
systemtorespond. Theattributionproblemmakespolicingandaccountabilityparticularlydifficult.
Cyberassetsaredistributedbetweenthepublicsectorandprivatesector,andtheprivatesectoriscomprisedofa
widerangeofdisparateentities.
Thereisalackofinternationalcoordinationoncyberissues.Asaresult,thereisnocentralizedinternationalcyber
threatinformationsharingorcommoncomputerincidentresponseteams.
Differentvaluesamongcountries;differentlevelsofpreparedness;differentdegreesofinterestandrisks.
Companiesandgovernmentsfaceoverlappingandconflictingsetsoflaws:
Harmonizationvs.divergenceofregionalandnationallaws
Personaldatalawsandsystem/infrastructureobligationsarenotintegratedorreconciled
Quality ofcompany'scybersecuritydependsinpartonvisibilityintotrafficonitsownnetwork,butsuchinsightcan
beintensionwithculturalandsometimeslegalbarrierstoelectronicmonitoringofemployees.
Approachtoimplementation:marketdrivenvs.regulatory
Governance:governmentcentricvs.multistakeholder
24
#RSAC
Analysis:RegionalisminLawandPolicy
Prominenceofregionalism reflectedinemergenceofinternationalandregionalcybersecurityinstruments
Instrumentsdevelopedinthecontextof,orinspiredby:
CouncilofEuropeortheEuropeanUnion
CommonwealthofIndependentStatesortheShanghaiCooperationOrganization
intergovernmentalAfricanorganizations
LeagueofArabStates
UnitedNations
Substantialcrossfertilizationexistsamongallinstruments
Example:conceptsintheBudapestConventiononCybercrime byCouncilofEurope.
Trend:regionalandnationalincorporationoftreatybasedcybersecuritylegalregimes
25
#RSAC
ApplyingWhatYouveLearned
Nextweek, youshould:
Meetyourcyberlawyer;begintalkingaboutlegalaspectsofmanagingcyberrisks
Beginidentifyingandmappingregional,national,andsubnationalcyberlegalrules,whereveryoudobusiness
Inthenext6months,youshould:
Conductacyberlegalassessmenttodeterminevulnerabilities,risks,andresources
Develop,update,andmaintainwrittenpoliciesandprocedures,includingongovernancebyBoardofDirectors.
Identifythecybersecuritytoolsandservicesusedbyyourcompany;learnhowtheyworkandhandledata;andthen
analyzethemagainstcurrentlawineachjurisdictionwhereyourcompanyusesthem.
BeforenextyearsRSAconference,youshould:
Developandmaintaincybersecuritytrainingprogramsforemployeesandcontractors
Deployinformationsecuritysafeguardsforvendors/serviceproviders,includingreportingandduediligence
Regularlytestandupdateallassessments,safeguards,andprotocols
26
#RSAC
Q&A
QuestionsandAnswers
27