cybersecurity legal requirements today and tomorrow
play

Cybersecurity Legal Requirements Today and Tomorrow AND HOW TO - PowerPoint PPT Presentation

Nov 02, 2022 •308 likes •639 views

Cybersecurity Legal Requirements Today and Tomorrow AND HOW TO MINIMIZE LIABILITY RISK IN CHANGING TIMES Robert Kriss Partner +1 312 701 7165 rkriss@mayerbrown.com Speakers Robert Kriss Partner - Chicago Overview What is the current

  1. Cybersecurity Legal Requirements Today and Tomorrow AND HOW TO MINIMIZE LIABILITY RISK IN CHANGING TIMES Robert Kriss Partner +1 312 701 7165 rkriss@mayerbrown.com

  2. Speakers Robert Kriss Partner - Chicago

  3. Overview • What is the current legal approach to cybersecurity in the United States? • How might that approach change in the future? • What can my company do to minimize liability risk in the evolving legal environment? environment? 71

  4. CURRENT REGULATORY APPROACHES TO CYBERSECURITY

  5. State and Federal Regulation • A general reasonableness/negligence standard is imposed by many federal and state regulatory agencies • Often there is a requirement to conduct a risk assessment and take reasonable steps to mitigate the risks identified, as well as to prepare written reasonable steps to mitigate the risks identified, as well as to prepare written plans and policies • A few state and federal regulatory agencies have issued additional specific requirements such as encryption and multi-factor authentication 73

  6. Examples of Specific Safeguards Required by States • New York State Department of Financial Services (NYDFS) Cybersecurity Requirements for Financial Services Companies – Encryption of information at rest and transmitted over external networks or alternative compensating controls external networks or alternative compensating controls – Multi-factor authentication for external access or reasonably equivalent controls 74

  7. Examples of Safeguards Required by the States • Regular cybersecurity training for all personnel • Penetration testing and vulnerability assessments • Application security 75

  8. Examples of Specific Safeguards Required by States • California – – California law requires “reasonable security procedures and practices appropriate to the nature of the information.” – However, the California Attorney General’s Office has However, the California Attorney General’s Office has announced that the 20 CIS Critical Security Controls constitute minimal requirements for reasonable security • Examples: multi-factor authentication for remote and administrative access; encryption of information over public networks; continuous vulnerability assessments; installation of anti-malware protection 76

  9. FTC Enforcement • The FTC brings enforcement actions under the “deception” and “unfairness” prongs of Section 5 of the FTC Act • The FTC’s approach is case-by-case and is based upon its • The FTC’s approach is case-by-case and is based upon its view of reasonable practices rather than promulgated rules • The FTC’s approach was sustained on appeal. See FTC v. Wyndham Worldwide Corp ., 799 F.3d 236 (3d Cir. 2015) 77

  10. FTC Enforcement • FTC published a “best practices” guidance document based upon the enforcement cases it has brought • FTC’s “Start With Security: A Guide for Business” - practical lessons based upon 50+ cases, including but not limited to: – Limit access to information on a “need to know” basis, particularly administrative access – Limit access to information on a “need to know” basis, particularly administrative access – Complex and unique passwords – Limit the number of unsuccessful attempts to log in – Encryption of sensitive data during storage and transmission – Segment network to isolate sensitive data – Application security – Include provisions requiring security precautions in service provider contracts 78

  11. HIPAA • HIPAA requires a risk assessment and reasonable safeguards but also specifies particular safeguards that must be implemented (e.g., developing a disaster recovery plan) and other safeguards that must be addressed and either implemented or a must be addressed and either implemented or a contemporaneous written explanation must be prepared to justify the decision not to implement (e.g., encryption) 79

  12. Federal Information Security Management Act • Applicable to federal agencies and private contractors of federal agencies • Requires identification and classification of information by risk level • Requires selection of specific controls from sets of baseline controls • Requires selection of specific controls from sets of baseline controls corresponding to risk levels, as set forth in NIST 800-53 80

  13. CLASS ACTION LITIGATION

  14. Class Action Litigation • Many hurdles for plaintiffs to clear – Standing – Motions to dismiss for failure to state a claim – Class certification – Class certification – Liability – Proof of damages 82

  15. Class Action Standing • Disagreement among the federal circuits concerning standing requirements – Seventh Circuit decisions could be interpreted as finding standing based interpreted as finding standing based upon deliberate data breach. See Remijas v. Neiman Marcus Grp ., LLC, 794 F.3d 688 (7th Cir. 2015) – Other circuits require some evidence of actual misuse of data. See Reilly v. Ceridian Corp ., 664 F.3d 38 (3d Cir. 2011) 83

  16. Motions to Dismiss • Most common claims: breach of implied contract; negligence; violation of state consumer protection act; unjust enrichment; declaratory judgment/injunction to prevent future breach • In many cases, one or more claims have survived, often implied contract • In many cases, one or more claims have survived, often implied contract and state consumer protection act 84

  17. Motions to Dismiss (con’t.) • Highest risk claims – unjust enrichment and declaratory judgment/injunction to prevent future breach • These claims could avoid difficulties in proving injury and damages on an individual basis individual basis • We recently succeeded in having those claims dismissed • Results are mixed around the country 85

  18. Class Certification • Until March of this year, no contested consumer class had been certified • Very few cases have reached this procedural point because in the past most were dismissed on standing grounds past most were dismissed on standing grounds 86

  19. Class Certification (con’t.) • A class of banks suing a retailer was certified. In re Target Corp. Customer Data Sec. Breach Litig ., 309 F.R.D. 482 (D. Minn. 2015) • A class of consumers was certified. Smith v. Triad of Alabama , LLC , No. 1:14- CV-324-WKW, 2017 WL 1044692, at *16 (M.D. Ala. Mar. 17, 2017) CV-324-WKW, 2017 WL 1044692, at *16 (M.D. Ala. Mar. 17, 2017) 87

  20. Issues Not Addressed Yet LIABILITY DAMAGES • How to determine damages in • How to determine what is a cybersecurity class action adequate security • What types of damages will be • What types of damages will be • What is adequate What is adequate recoverable in a cybersecurity security? class action? 88

  21. Possible Future Directions • State and federal regulation – More rules imposing additional specific requirements probably will be issued by various agencies – Regulatory agencies may begin to scrutinize reasonableness of Regulatory agencies may begin to scrutinize reasonableness of risk assessments and responses to risk assessments risk assessments and responses to risk assessments – FTC will likely continue its case-by-case approach; FTC will focus attention on failures to implement safeguards in its guidance document 89

  22. Possible Future Directions (con’t.) • Class Action Litigation – More cases may be certified and defendants will have to address liability and damages – The issue of whether defendant implemented The issue of whether defendant implemented reasonable safeguards may be resolved in a reasonable safeguards may be resolved in a manner similar to medical malpractice claims (“Battle of Experts” in front of a jury) 90

  23. Possible Future Directions (con’t.) • Class Action Litigation (con’t.) – State and federal regulations requiring specific safeguards and “guidance” documents may be used to establish at least a minimum standard for reasonable safeguards, whether or not the regulations or guidance technically apply to defendant apply to defendant – Consulting reports obtained by defendants in the regular course of business may be used to determine whether defendant implemented reasonable safeguards 91

  24. Possible Future Directions (con’t.) • Class Action Litigation (con’t.) – Rules Enabling Act and judicial precedent support requirement for individualized damages determinations ( See Smith v. Triad of Alabama, LLC , No. 1:14-CV-324-WKW, 2017 WL 1044692 at *16 (M.C. Ala. Mar. 17, 2017)) – Plaintiffs may press for class-wide damages for lost time based upon averages Plaintiffs may press for class-wide damages for lost time based upon averages 92

  25. Possible Future Directions (con’t.) • Class Action Litigation (con’t.) – Plaintiffs may seek payment for credit monitoring or other types of identity- theft preventive measures regardless of whether class members incurred the cost on their own • Standing arguments against recovery for speculative injury Standing arguments against recovery for speculative injury • Analogous to medical monitoring and future injury cases 93

  26. Possible Future Directions (con’t.) • Class Action Litigation (con’t.) – Actions concerning the Internet of Things • Plaintiffs may seek injunctive relief to prevent injury • Plaintiffs may seek diminution in economic value 94

  27. RISK MITIGATION

Recommend

Today and Tomorrow HEARING LOSS TECHNOLOGY TODAY AND TOMORROW Laura E. Plummer, MA, CRC, ATP

Today and Tomorrow HEARING LOSS TECHNOLOGY TODAY AND TOMORROW Laura E. Plummer, MA, CRC, ATP

OPENING THE LINES OF COMMUNICATION Today and Tomorrow HEARING LOSS TECHNOLOGY TODAY AND TOMORROW Laura E. Plummer, MA, CRC, ATP Outreach Services WESP-DHH for the D~r a.nd ~rd of Hca r,n,1 OBJECTIVES Identify signaling and environmental

688 views • 43 slides
Cybersecurity Today CYBERSECURITY IN TODAYS WORLD Cyberattacks in Wyoming Medical

Cybersecurity Today CYBERSECURITY IN TODAYS WORLD Cyberattacks in Wyoming Medical

Cybersecurity Today CYBERSECURITY IN TODAYS WORLD Cyberattacks in Wyoming Medical Facilities Local Government Schools Law Enforcement Media Outlets The threat and how to think about it Ransomware has rapidly emerged as the most

398 views • 15 slides
Today s Technology, Tomorrow s Technology, Tomorrow s Therapy s Therapy Today

Today s Technology, Tomorrow s Technology, Tomorrow s Therapy s Therapy Today

Today s Technology, Tomorrow s Technology, Tomorrow s Therapy s Therapy Today Disclaimer Disclaimer The material contained in this presentation must be considered as general background information on Cygenics Ltd. This s general

602 views • 25 slides
Cybersecurity: Contractual guidelines and other recommendations to maximise the legal security

Cybersecurity: Contractual guidelines and other recommendations to maximise the legal security

Cybersecurity: Contractual guidelines and other recommendations to maximise the legal security of the space activities Avv. Francesco Amicucci Thales Alenia Space Italia S.p.A., Rome, Italy 1 Cybersecurity The state of being protected

589 views • 31 slides
Licensing requirements and council contracts Todays discussion To Today day we we wi will

Licensing requirements and council contracts Todays discussion To Today day we we wi will

Consumer and Business Services Licensing requirements and council contracts Todays discussion To Today day we we wi will co ll cover ver Legal requirements Consequences for unlicensed contracting Compliance &

692 views • 22 slides
Advising the C-Suite and Boards of Directors on Cybersecurity February 11, 2015 Agenda

Advising the C-Suite and Boards of Directors on Cybersecurity February 11, 2015 Agenda

Advising the C-Suite and Boards of Directors on Cybersecurity February 11, 2015 Agenda Introductions / Administrative Cybersecurity risk legal landscape Cyber threats Legal risks in the aftermath of a breach The role of the

207 views • 19 slides
What The Hack! Aldo Leiva Jorge Rey Agenda Introduction Cybersecurity Trends Legal

What The Hack! Aldo Leiva Jorge Rey Agenda Introduction Cybersecurity Trends Legal

What The Hack! Aldo Leiva Jorge Rey Agenda Introduction Cybersecurity Trends Legal Framework For Cybersecurity Compliance How Are Organizations Getting Hacked Oops, you clicked on the link. Now what? Best Practices and

1.09k views • 36 slides
Announcements Assignment 4 will be out later today Problem Set 3 is due today or tomorrow

Announcements Assignment 4 will be out later today Problem Set 3 is due today or tomorrow

Announcements Assignment 4 will be out later today Problem Set 3 is due today or tomorrow by 9am in my mail box (4 th floor NSH) How are the machines working out? I have a meeting with Peter Lee and Bob Cosgrove on Wednesday to

755 views • 37 slides
July 8, 2019 h-gac.com h-gac.com Serving Today Planning for Tomorrow Serving Today

July 8, 2019 h-gac.com h-gac.com Serving Today Planning for Tomorrow Serving Today

July 8, 2019 h-gac.com h-gac.com Serving Today Planning for Tomorrow Serving Today Planning for Tomorrow Parks and Natural Areas Roundtable July 8, 2019 Agenda Welcome and Introductions Presentation Kenneth Barnadyn, City of

531 views • 6 slides
A Legal Framework for Cybersecurity Deirdre K. Mulligan Fred B. Schneider School of Information

A Legal Framework for Cybersecurity Deirdre K. Mulligan Fred B. Schneider School of Information

A Legal Framework for Cybersecurity Deirdre K. Mulligan Fred B. Schneider School of Information Computer Science UC Berkeley Cornell University Outline of Talk Brief background Why shift in legal framework is appropriate

764 views • 27 slides
U.S. National U.S. National Why are we talking about Cybersecurity Cybersecurity

U.S. National U.S. National Why are we talking about Cybersecurity Cybersecurity

U.S. National U.S. National Why are we talking about Cybersecurity Cybersecurity cybersecurity? William J. Perry Martin Casado Keith Coleman Dan Wendlandt MS&E 91SI Spring 2004 Stanford University U.S. National Cybersecurity

79 views • 7 slides
Assure financial future today for a better tomorrow Creating a better tomorrow Disclaimer THIS

Assure financial future today for a better tomorrow Creating a better tomorrow Disclaimer THIS

Assure financial future today for a better tomorrow Creating a better tomorrow Disclaimer THIS PRESENTATION IS NOT AN OFFER OR SOLICITATION OF AN OFFER TO BUY OR SELL ANY SECURITIES OR ANY INVESTMENT This presentation has been prepared by

528 views • 27 slides
Legal requirements on gas meters in Germany and the interoperability of national gas grids

Legal requirements on gas meters in Germany and the interoperability of national gas grids

Legal requirements on gas meters in Germany and the interoperability of national gas grids Dr.-Ing. B. Mickan Content Introduction to PTB Fields of legal regulations EU regulation 2015/703 MPEs and MUs: central requirements

231 views • 21 slides
Legal and Policy Issues with Maritime Cybersecurity Paula S. deWitte, J.D., Ph.D., P.E.

Legal and Policy Issues with Maritime Cybersecurity Paula S. deWitte, J.D., Ph.D., P.E.

Legal and Policy Issues with Maritime Cybersecurity Paula S. deWitte, J.D., Ph.D., P.E. Paula.dewitte@tamu.edu Associate Professor of Practice Computer Science & Engineering ENGR 461 October 10, 2017 1 Agenda Maritime assets as

583 views • 20 slides
The importance of religion in the development of our societies today and tomorrow Rafael

The importance of religion in the development of our societies today and tomorrow Rafael

The importance of religion in the development of our societies today and tomorrow Rafael Palomino Universidad Complutense (Madrid, Spain) It is a privilege and an honor to be here with you today to try to give some contributions to

493 views • 6 slides
& Tomorrow Today Natural Natural Gas Gas only only 7% of 6% of mmbtu GHG Natural Gas

& Tomorrow Today Natural Natural Gas Gas only only 7% of 6% of mmbtu GHG Natural Gas

Vermont Gas Today April 11, 2019 & Tomorrow Today Natural Natural Gas Gas only only 7% of 6% of mmbtu GHG Natural Gas in Vermont The Customer Experience Customers are paying 30% LESS on heating bills than they were in 2008.

666 views • 14 slides
The A/ A/E/ E/C I Industr try Toda day, T Tomorrow, a and B d Beyond nd Gerry rry

The A/ A/E/ E/C I Industr try Toda day, T Tomorrow, a and B d Beyond nd Gerry rry

The A/ A/E/ E/C I Industr try Toda day, T Tomorrow, a and B d Beyond nd Gerry rry Salont ntai The A/E/C Industry Today, Tomorrow and Beyond The Overall Economy Is Great! We have the lowest unemployment since the late 1960s

792 views • 39 slides
to fit the Revenue Cycles of Tomorrow Legal Disclaimer Any content included in this presentation

to fit the Revenue Cycles of Tomorrow Legal Disclaimer Any content included in this presentation

Shaping the Tenets of Government Regulations to fit the Revenue Cycles of Tomorrow Legal Disclaimer Any content included in this presentation or discussed during this session is presented for educational and general reference purposes only, and

416 views • 20 slides
OPPs Role in Agricultural Biotechnology Today and Tomorrow 1 Opening Remarks 2 Robert

OPPs Role in Agricultural Biotechnology Today and Tomorrow 1 Opening Remarks 2 Robert

OPPs Role in Agricultural Biotechnology Today and Tomorrow 1 Opening Remarks 2 Robert McNally, Director OPPs Role in Agricultural Biotechnology Today and Tomorrow 3 White House memo from July 2015: 3 key Points:

540 views • 34 slides
HIGHER STUDENT OUTCOMES TODAY IN THE UCPS CLASSROOMS OF TOMORROW Brad Breedlove Dissertation

HIGHER STUDENT OUTCOMES TODAY IN THE UCPS CLASSROOMS OF TOMORROW Brad Breedlove Dissertation

HIGHER STUDENT OUTCOMES TODAY IN THE UCPS CLASSROOMS OF TOMORROW Brad Breedlove Dissertation in Professional Practice Proposal Presentation May 2, 2017 What is a Classroom of Tomorrow? Modular Furniture Wraparound Markerwall Interactive

413 views • 20 slides
SPP Today and Tomorrow Missouri Public Service Commission 1 SPP 101 SPP.org 3 Our

SPP Today and Tomorrow Missouri Public Service Commission 1 SPP 101 SPP.org 3 Our

SPP.org 1 SPP Today and Tomorrow Missouri Public Service Commission 1 SPP 101 SPP.org 3 Our Beginning Founded 1941 with 11 members Utilities pooled resources to keep Arkansas aluminum plant powered for critical defense

684 views • 64 slides
Managing workplace stress Getting the best from today Being better tomorrow Stress: That

Managing workplace stress Getting the best from today Being better tomorrow Stress: That

Managing workplace stress Getting the best from today Being better tomorrow Stress: That Difficult Conversation MATS April 2019 Building better cultures And many more Some places we have worked: Trinidad Norway Singapore Java

715 views • 18 slides
Offshore Wind Energy: Emerging Legal Challenges Navigating Legal Requirements, Obtaining New

Offshore Wind Energy: Emerging Legal Challenges Navigating Legal Requirements, Obtaining New

Presenting a live 90 minute webinar with interactive Q&A Offshore Wind Energy: Emerging Legal Challenges Navigating Legal Requirements, Obtaining New Government Funding, and Lessons From Successful UK Wind Projects TUESDAY, NOVEMBER 8, 2011

1.06k views • 71 slides
1 Representations for requirements Unified Modeling Language UML (1997) Requirement

1 Representations for requirements Unified Modeling Language UML (1997) Requirement

Today CSE 403, Software Engineering Representation of requirements Lecture 4 Use of requirements Key parts of the discussion will (probably) be about process, not Documenting and Using artifacts Requirements Non-functional

358 views • 4 slides

More recommend