Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

4/4/2016
08:00 AM
Jason Straight
Jason Straight
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
0%
100%

Avoiding Legal Landmines in Data Breach Response

Building a legally defensible cybersecurity program means seeking out guidance from legal advisors before a serious incident forces you together.

Lawyers and information security professionals have something very fundamental in common: We see risk everywhere we look. 

As someone who began his career as an attorney but has gradually transitioned into information security, I have hung around long enough now to see the two disciplines gradually converge. Cybersecurity and the law are colliding all around us—sometimes violently, but increasingly in a more productive and mutually beneficial way. I have been an advisor to lawyers and security professionals alike, helping each understand the perspective and preoccupations of the other. Each discipline needs the other, and nowhere is that more apparent than in the area of data breach response. 

Companies who suffer a security breach that exposes sensitive information can now expect to be abruptly thrust into one legal process or another. Whether that process takes the form of a regulatory inquiry, a class-action suit or a contractual dispute, counsel’s role in helping respond to what was long considered “an IT issue” is more critical than ever before. For this reason, proactive cybersecurity professionals have begun seeking guidance from the legal department before an incident forces them together.

But where to start? 

I recommend that legal and cybersecurity professionals focus their initial collaborative efforts on achieving defensibility. From a legal perspective, a defensible security program is one that will withstand post-breach scrutiny and be deemed “reasonable” under the microscope of hindsight. Developing a defensible cybersecurity risk program involves working backwards from the moment of breach impact to look at all the steps along the way that could have been taken to prevent or mitigate the damage from a breach event. 

Why do I suggest this as a starting point? Because scrutiny of the steps taken – or not taken – to forestall a cybersecurity incident will undoubtedly come once you have suffered an incident. It’s far better to have taken a look in the mirror before you present yourself to the world. Despite the fact that your program will, by definition, have “failed” by the time the scrutiny commences, it is still possible to demonstrate your diligence in limiting exposure and containing the damage.

So how can you ensure your diligence is reasonably defensible?

Lawyers will rightly point to the concept of precedence. Courts are nearly always influenced—and in some cases bound—by similar cases and judicial reasoning that have come before. While there are not many judicial opinions at this stage that provide concrete parameters around what constitutes a defensible cybersecurity program, there are several potential sources of guidance.

A good starting point is to identify the regulators most relevant to your business. If you are in the financial services sector, then the Securities and Exchange Commission (SEC), the Federal Reserve Board (FRB) and the Consumer Financial Protection Bureau (CFPB) will likely be on your list. If you are in the retail or hospitality sector, you should pay close attention to the Federal Trade Commission (FTC) as well as state-level consumer protection law enforcers. Once you’ve compiled your list of regulators, do some research to identify what they have been doing – and saying – about cybersecurity. In addition to looking at the regulations themselves and formal filings by the agencies, you will also find speeches, position papers and bulletins that can help clarify what regulators find most important when it comes to cybersecurity risk management. If you are a security professional blanching at the thought of this exercise, here’s a hint: Most lawyers love a task like this, and are actually quite good at it. But they’ll undoubtedly need your help in interpreting what they find and understanding its implications.

It is important to note that this is not a compliance exercise.

Attaining a defensible security posture goes beyond merely being able to pass an audit. Indeed, much of the “guidance” out there will not present hard-and-fast rules. Logic and judgment are required for you to settle on a defensible standard. Security pros will need to help their legal colleagues understand the reality that aggressive security measures tend to undermine convenience and practicality. A good example is encryption, which can be very effective in protecting sensitive data and  meeting regulatory and judicial guidelines. But any IT professional will tell you that encryption technology is expensive and implementation can create operational delays and challenges that render it unfeasible. For instance, encrypting data at rest in a high-capacity data processing environment can grind processing operations to a halt. Finding the right balance between security and practicality is what achieving defensibility is all about. 

Security and legal professionals have a lot more in common than you might think. Avoiding the many hidden traps and obstacles in building a cybersecurity program requires openness to collaboration and real creativity. Bringing together legal and cybersecurity practitioners is the surest path to achieving a defensible cybersecurity program.   

Related Content:

  

Interop 2016 Las VegasCheck out Jason's upcoming presentation on legal landmines around IT infrastructure, Wednesday, May 4, at Interop 2016 at the Mandalay Bay Convention Center, Las Vegas. Click here for pricing information and to register.

Jason Straight<http://www.unitedlex.com/about-us/jason-straight.php> is the Senior Vice President and Chief Privacy officer at UnitedLex<http://www.unitedlex.com/>. He has more than a decade of experience assisting clients in managing information security risks, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
moarsauce123
100%
0%
moarsauce123,
User Rank: Ninja
5/16/2016 | 7:27:25 PM
Avoid lawyers talking cyber
Avoid paying lawyers like baldy here to write about cyber. I'm dumber having read this. This clown went from bilking legal clients hourly to now charging per hour for cyber for his company for people stupid enough to hire him with experience doing what? Find some better authors please.
Gary Scott
0%
100%
Gary Scott,
User Rank: Strategist
4/18/2016 | 6:56:49 PM
Lawyers see risk everywhere
Has the process of computer recycling or IT decommissioning hit your radar?  i've found many companies don't have policies and procedures for data destruction - from storing equipment to be recycled to how to destroy digital media such as hard drivs and backup tapes.
Psychologue Lyon
0%
100%
Psychologue Lyon,
User Rank: Guru
4/6/2016 | 3:10:29 PM
Security and justice
I am a French psychologist and I am pleased that you think about 
the data security problem and the legal consequences that this may have ...
In France it's much more complicated to address this problem .
Thank you for your post !
wendycohen
0%
100%
wendycohen,
User Rank: Apprentice
4/5/2016 | 3:48:39 PM
Protect the data BEFORE you're breached
The key is to protect the data before you're breached.  All organizations must understand and know how their organization monitors its sensitive data, stays compliant and if a DLP system is in place; can it actually block valuable data from being breached? 

A few suggested best practices for Global Governance, Risk & Compliance are:

- Be aware of the data that is being sent out of your control

- Know what data can be sent out of the network, is it being sent and where to

- Data detection accuracy of the organizations DLP system ensures the protection of the sensitive data with the proper control and notification of irregular activity. 

For more information on Data Security GR&C go to gttb

 

Wendy Cohen

GM Global Cloud Data Protection Practice

GTB Technologies, the "Content Aware" Data Protection Co.

#dlpthatworks
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
Unreasonable Security Best Practices vs. Good Risk Management
Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
6 Small-Business Password Managers
Curtis Franklin Jr., Senior Editor at Dark Reading,  11/8/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-11931
PUBLISHED: 2019-11-14
A stack-based buffer overflow could be triggered in WhatsApp by sending a specially crafted MP4 file to a WhatsApp user. The issue was present in parsing the elementary stream metadata of an MP4 file and could result in a DoS or RCE. This affects Android versions prior to 2.19.274, iOS versions prio...
CVE-2019-18980
PUBLISHED: 2019-11-14
On Signify Philips Taolight Smart Wi-Fi Wiz Connected LED Bulb 9290022656 devices, an unprotected API lets remote users control the bulb's operation. Anyone can turn the bulb on or off, or change its color or brightness remotely. There is no authentication or encryption to use the control API. The o...
CVE-2019-17391
PUBLISHED: 2019-11-14
An issue was discovered in the Espressif ESP32 mask ROM code 2016-06-08 0 through 2. Lack of anti-glitch mitigations in the first stage bootloader of the ESP32 chip allows an attacker (with physical access to the device) to read the contents of read-protected eFuses, such as flash encryption and sec...
CVE-2019-18651
PUBLISHED: 2019-11-14
A cross-site request forgery (CSRF) vulnerability in 3xLogic Infinias Access Control through 6.6.9586.0 allows remote attackers to execute malicious and unauthorized actions (e.g., delete application users) by sending a crafted HTML document to a user that the website trusts. The user needs to have ...
CVE-2019-18978
PUBLISHED: 2019-11-14
An issue was discovered in the rack-cors (aka Rack CORS Middleware) gem before 1.0.4 for Ruby. It allows ../ directory traversal to access private resources because resource matching does not ensure that pathnames are in a canonical format.