The Manager’s Guide to Cybersecurity Law: Essentials for Today's Business
5/5
()
About this ebook
In today’s litigious business world, cyber-related matters could land you in court. As a computer security professional, you are protecting your data, but are you protecting your company? While you know industry standards and regulations, you may not be a legal expert. Fortunately, in a few hours of reading, rather than months of classroom study, Tari Schreider’s The Manager’s Guide to Cybersecurity Law: Essentials for Today’s Business, lets you integrate legal issues into your security program.
Tari Schreider, a board-certified information security practitioner with a criminal justice administration background, has written a much-needed book that bridges the gap between cybersecurity programs and cybersecurity law. He says, “My nearly 40 years in the fields of cybersecurity, risk management, and disaster recovery have taught me some immutable truths. One of these truths is that failure to consider the law when developing a cybersecurity program results in a protective façade or false sense of security.”
In a friendly style, offering real-world business examples from his own experience supported by a wealth of court cases, Schreider covers the range of practical information you will need as you explore – and prepare to apply – cybersecurity law. His practical, easy-to-understand explanations help you to:
- Understand your legal duty to act reasonably and responsibly to protect assets and information.
- Identify which cybersecurity laws have the potential to impact your cybersecurity program.
- Upgrade cybersecurity policies to comply with state, federal, and regulatory statutes.
- Communicate effectively about cybersecurity law with corporate legal department and counsel.
- Understand the implications of emerging legislation for your cybersecurity program.
- Know how to avoid losing a cybersecurity court case on procedure – and develop strategies to handle a dispute out of court.
- Develop an international view of cybersecurity and data privacy – and international legal frameworks.
Schreider takes you beyond security standards and regulatory controls to ensure that your current or future cybersecurity program complies with all laws and legal jurisdictions. Hundreds of citations and references allow you to dig deeper as you explore specific topics relevant to your organization or your studies. This book needs to be required reading before your next discussion with your corporate legal department.
Tari Schreider, SSCP, CISM, CCISO, ITIL Foundation
Tari Schreider, SSCP, CISM, C|CISO, ITIL Foundation, is a distinguished technologist and nationally known expert in the fields of cybersecurity, risk management, and disaster recovery. Co-founder of Prescriptive Risk Solutions, LLC (PRS), he is former Chief Security Architect at Hewlett-Packard Enterprise. PRS designs custom solutions for companies with challenging legal and regulatory compliance issues that need to be solved quickly. PRS maintains one of the world’s largest databases of security and disaster recovery incidents with nearly 12,000 incidents covering 10.6 billion compromised records. Mr. Schreider has designed and implemented complex cybersecurity programs including a red team penetration testing program for one of the largest oil and gas companies in the world, an NERC CIP compliance program for one of Canada’s largest electric utility companies, and an integrated security control management program for one of the US’ largest 911 systems. He has advised organizations from China to India on how to improve their cybersecurity programs through his Information Security Service Management – Reference Model (ISSM-RM). Schreider implemented a virtual Security Operations Center network with vSOCs located in the US, Brazil, Italy, Japan, Sweden, and the US. He was also responsible for creating the first Information Sharing and Analysis Center in collaboration with the Information Technology Association of America (IT-ISCA). His earliest disaster recovery experiences included assisting companies affected by the 1992 Los Angeles Rodney King Riots, and 1993 World Trade Center bombing. His unique experience came during the 1990 Gulf War, helping a New York financial institution recover after becoming separated from its data center in Kuwait. Schreider has appeared on ABC News, CNN, CNBC, NPR, and has had numerous articles printed in security and business magazines including Business Week, New York Times, SC Magazine, The Wall Street Journal, and many others. He studied Criminal Justice at the College of Social & Behavioral Sciences at the University of Phoenix and holds the following certifications in security and disaster recovery: • American College of Forensic Examiners, CHS-III • Certified CISO (C|CISO) • Certified Information Security Manager (CISM) • ITIL™ v3 Foundation Certified • System Security Certified Practitioner (SSCP) • The Business Continuity Institute, MBCI • University of Richmond – Master Certified Recovery Planner (MCRP)
Related to The Manager’s Guide to Cybersecurity Law
Related ebooks
Building Effective Cybersecurity Programs: A Security Manager’s Handbook Rating: 4 out of 5 stars4/5Cybersecurity Law, Standards and Regulations, 2nd Edition Rating: 0 out of 5 stars0 ratingsLandscape of Cybersecurity Threats and Forensic Inquiry Rating: 0 out of 5 stars0 ratingsThe Cybersecurity Maturity Model Certification (CMMC) – A pocket guide Rating: 0 out of 5 stars0 ratingsCybersecurity First Principles: A Reboot of Strategy and Tactics Rating: 5 out of 5 stars5/5Building an Effective Cybersecurity Program, 2nd Edition Rating: 0 out of 5 stars0 ratingsFISMA and the Risk Management Framework: The New Practice of Federal Cyber Security Rating: 0 out of 5 stars0 ratingsCyber Security Consultants Playbook Rating: 0 out of 5 stars0 ratingsNIST Cybersecurity Framework: A pocket guide Rating: 0 out of 5 stars0 ratingsData Breach Preparation and Response: Breaches are Certain, Impact is Not Rating: 0 out of 5 stars0 ratings7 Rules To Become Exceptional At Cyber Security Rating: 5 out of 5 stars5/511 Strategies of a World-Class Cybersecurity Operations Center Rating: 0 out of 5 stars0 ratingsFundamentals of Adopting the NIST Cybersecurity Framework Rating: 0 out of 5 stars0 ratingsInformation Security Governance: A Practical Development and Implementation Approach Rating: 0 out of 5 stars0 ratingsThe Cyber Security Handbook – Prepare for, respond to and recover from cyber attacks Rating: 0 out of 5 stars0 ratingsCybersecurity Program Development for Business: The Essential Planning Guide Rating: 0 out of 5 stars0 ratingsCybersecurity Incident Response: How to Contain, Eradicate, and Recover from Incidents Rating: 0 out of 5 stars0 ratingsCyber Security: Essential principles to secure your organisation Rating: 0 out of 5 stars0 ratingsThe Cybersecurity Mindset: Cultivating a Culture of Vigilance Rating: 0 out of 5 stars0 ratingsCISSP:Cybersecurity Operations and Incident Response: Digital Forensics with Exploitation Frameworks & Vulnerability Scans Rating: 0 out of 5 stars0 ratingsIT Governance Critical Issues Series: Cyber Security Rating: 0 out of 5 stars0 ratingsCyber Security Awareness for Corporate Directors and Board Members Rating: 1 out of 5 stars1/5The True Cost of Information Security Breaches and Cyber Crime Rating: 0 out of 5 stars0 ratingsData Protection and Compliance: Second edition Rating: 0 out of 5 stars0 ratingsPrivacy, Regulations, and Cybersecurity: The Essential Business Guide Rating: 0 out of 5 stars0 ratingsBuilding a Practical Information Security Program Rating: 5 out of 5 stars5/5EU GDPR – An international guide to compliance Rating: 0 out of 5 stars0 ratingsSecurity Operations in Practice Rating: 0 out of 5 stars0 ratings
Management For You
The 12 Week Year: Get More Done in 12 Weeks than Others Do in 12 Months Rating: 4 out of 5 stars4/5The 360 Degree Leader Workbook: Developing Your Influence from Anywhere in the Organization Rating: 4 out of 5 stars4/5The 7 Habits of Highly Effective People: 30th Anniversary Edition Rating: 5 out of 5 stars5/5Crucial Conversations: Tools for Talking When Stakes are High, Third Edition Rating: 4 out of 5 stars4/5Good to Great: Why Some Companies Make the Leap...And Others Don't Rating: 4 out of 5 stars4/5I Moved Your Cheese: For Those Who Refuse to Live as Mice in Someone Else's Maze Rating: 5 out of 5 stars5/5The Five Dysfunctions of a Team: A Leadership Fable, 20th Anniversary Edition Rating: 4 out of 5 stars4/5Emotional Intelligence Habits Rating: 5 out of 5 stars5/5Summary of The Laws of Human Nature: by Robert Greene - A Comprehensive Summary Rating: 4 out of 5 stars4/5Built to Last: Successful Habits of Visionary Companies Rating: 4 out of 5 stars4/5The 12 Week Year (Review and Analysis of Moran and Lennington's Book) Rating: 5 out of 5 stars5/5The Hard Thing About Hard Things: Building a Business When There Are No Easy Answers Rating: 4 out of 5 stars4/5Extreme Ownership: How U.S. Navy SEALs Lead and Win | Summary & Key Takeaways Rating: 4 out of 5 stars4/5The Coaching Habit: Say Less, Ask More & Change the Way You Lead Forever Rating: 4 out of 5 stars4/5Multipliers, Revised and Updated: How the Best Leaders Make Everyone Smarter Rating: 4 out of 5 stars4/5Company Rules: Or Everything I Know About Business I Learned from the CIA Rating: 4 out of 5 stars4/5Principles: Life and Work Rating: 4 out of 5 stars4/5Spark: How to Lead Yourself and Others to Greater Success Rating: 5 out of 5 stars5/5The Motive: Why So Many Leaders Abdicate Their Most Important Responsibilities Rating: 5 out of 5 stars5/5The 4 Disciplines of Execution: Revised and Updated: Achieving Your Wildly Important Goals Rating: 4 out of 5 stars4/5Summary of The Five Dysfunctions of a Team: by Patrick Lencioni | Includes Analysis Rating: 4 out of 5 stars4/5The First-Time Manager Rating: 3 out of 5 stars3/5Quiet Leadership: Six Steps to Transforming Performance at Work Rating: 4 out of 5 stars4/5The 5 Languages of Appreciation in the Workplace: Empowering Organizations by Encouraging People Rating: 4 out of 5 stars4/5Managing Oneself: The Key to Success Rating: 4 out of 5 stars4/5The Ideal Team Player: How to Recognize and Cultivate The Three Essential Virtues Rating: 4 out of 5 stars4/5
Reviews for The Manager’s Guide to Cybersecurity Law
1 rating0 reviews
Book preview
The Manager’s Guide to Cybersecurity Law - Tari Schreider, SSCP, CISM, CCISO, ITIL Foundation
Preface
My nearly 40 years in the fields of cybersecurity, risk management, and disaster recovery have taught me some immutable truths. One of these truths is that failure to consider the law when developing a cybersecurity program results in a protective façade or false sense of security. You may be protecting your data, but you are not protecting your company. Showing you how to avoid the painful lesson of learning this truth too late is the reason I wrote this book.
This book shows you how to bridge the gap between cybersecurity programs and cybersecurity law. My vantage point is somewhat unique in that I am a board-certified information security practitioner with a criminal justice administration background. While I do not dispense legal advice here, my goal is to provide awareness of various legal considerations that managers should embrace. I do strongly recommend that after you have read this book, you sit with your legal department to begin the discussion of creating a closer relationship between your organization’s cybersecurity policies and practices and the law. We live in a litigious world and therefore must prepare ourselves for the eventuality of a cyber-related lawsuit.
Your company may have developed its cybersecurity program according to the letter of applicable security standards or industry regulations. But this usually leads to developing your program in a bubble when the law is not considered. My hope is that after reading this book, you will have a whole new way of thinking and approach to your company’s cybersecurity program. Applying what you learn about criminal and civil procedure as well as other lessons presented in this book will allow you to burst out of that bubble.
Because you have responsibility in your company to protect your company adequately against future cyber liability, you have a duty to think past security standards and regulatory controls to ensure your cybersecurity program complies with all laws and legal jurisdictions.
Finally, let me remind you that you should not act on any advice in this book without first seeking legal advice.
Tari Schreider
Atlanta, Georgia – Cheyenne, Wyoming
January 2017
Chapter 1
Introduction to Cybersecurity Law
A sense of excitement and anxiety rush over you simultaneously upon receiving an invitation to present your cybersecurity program to senior executives of your company. At last, you have achieved recognition for creating a cybersecurity program that meticulously follows industry standards! Your proposal has passed several independent assessments and even garnered approving nods from internal audit. Filled with confidence and thinking your life as a leader and manager in cybersecurity couldn’t be better, you embark enthusiastically on your carefully prepared presentation. Then, shortly after your opening remarks, your organization’s chief legal counsel chimes in, Have you ensured our cybersecurity program complies with and supports all the legal statutes we must adhere?
Your answer to this question will get the immediate attention of the senior leadership of your company – and imprint the question of your subject-matter competency on their minds. As the champion of your organization’s cybersecurity program, your challenge is to answer this question skillfully in order to earn the confidence and respect of those with the authority to support and fund your cybersecurity initiatives.
This chapter will help you to:
• Communicate effectively with your company’s legal counsel by having a working knowledge of how the US legal system applies to cybersecurity.
• Seek out and implement ways to improve your company’s cybersecurity program to avoid post-cyberattack lawsuits.
• Upgrade your cybersecurity policies to comply with state, federal, and regulatory statutes.
1.1 Infamous Cybercrimes
You may have seen many headlines, articles, or lists showcasing computer hacking and other cybercrime events; however, few focus on the cybercriminals who have been charged, prosecuted, and convicted for their cyber offenses. Before we begin our cybersecurity law journey, I think it only appropriate to offer some examples of what happened when the crime was over and the offenders were punished.
Significant cybercrime court cases of the past five years include:
• October 18, 2012 – Top executives of Kolon Industries indicted for stealing Dupont’s Kevlar trade secrets. Using computers to copy intellectual property and then to destroy the data, Kolon pleaded guilty and paid $360 million in restitution. Several executives were sentenced to prison terms (E.I. DuPont de Nemours, 2011).
• July 26, 2013 – Five Russian and Ukrainian hackers charged in $300 million crime from the theft and use of 160 million credit card numbers from Carrefour SA, JCPenney, JetBlue Airways, Visa, and others (Williams, 2015).
• August 27, 2014 – Former acting director of cybersecurity at the US Department of Health and Human Services (HHS) convicted on child pornography charges. Ultimately he was sentenced to 25 years (Robinson, 2014).
• December 17, 2015 – Six defendants from China, Germany, Singapore, and the US plead guilty to $100 million software piracy scheme. Over a period of six years 170,000 stolen Microsoft and Adobe activation keys were sold illegally (US Department of Justice, 2015).
• September 1, 2016 – A Romanian hacker known as Guccifer
received a 52-month prison sentence for 100 counts of unauthorized access to a protected computer and aggravated identity theft (US Department of Justice, 2016).
TIP: Use the examples above to compare with your security technologies and practices currently in place and ask yourself if your methods would have detected trade secret theft, hacker intrusions, a senior executive violating a security policy, use of pirated software, or employee identify theft.
1.2 Civil vs. Criminal Cybersecurity Offenses
As the manager of cybersecurity, you may need to deal with both civil and criminal cases.
• Criminal cases will result from either an insider committing a cyber offense or an external party hacking into your computer systems.
• Civil cases will arise from your organization suing a company, or they sue you for some harm caused by a cyberattack.
For both instances, your cyberseurity program will need to address each scenario. You must also be ready to be either the plaintiff or the defendant.
• In a civil case, as the plaintiff, you would be claiming that some entity has failed to fulfill a legal duty. For example, you would be the plaintiff if your company is bringing suit against a cloud service provider that exposed your customers’ data due to an incorrectly configured firewall.
• As a defendant, an entity would be accusing your organization of the same. In criminal cases, the government or a private entity will bring the case against you (the defendant), and your role will be to gather evidence to disprove the alleged offense. For example, you will be the defendant if a class action lawsuit is brought against your company following a hacking incident where customer data was stolen.
By now, you should be contemplating how to ensure your cybersecurity program supports these legal scenarios. The determination of whether it is a civil or criminal matter begins with the establishment of the crime.
1.2.1 Clarifying the Definition of Cybercrime
No universal definition of cybercrime exists; however, a general consensus exists that cybercrime falls into two categories. The first category is current crimes that are now committed using computers and networks. The second includes crimes that have specifically evolved in the computer age and use sophisticated methods to commit crime. Definitions of cybercrime have fundamental similarities in a broad sense; however, a diverse array of opinions nonetheless exists.
• Not surprising many courts also have varying interpretations of cybercrime including how to even spell the term with it often referred to as cyber crime, cyber-crime, or cybercrime.
• Contributing to the disparity of definitions is the changing landscape of technology. Cloud computing, software-defined infrastructure, and outsourcing have all but obliterated many definitions of cybercrime. A clear and concise definition of cybercrime establishes the proper foundation for developing policies and practices to detect, prevent, and mitigate offenses. I will discuss more about policy creation in Chapter 6.
An understandable definition of cybercrime bridges the gap between the law and your cybersecurity program and brings clarity to the portions of your cybersecurity program that address criminal offenses.
1.2.2 Challenging Your Current Definition of Cybercrime
Is the current description of the crimes clear and concise enough to create actionable policies and practices? Many definitions just state that computer crime is the commission of a crime through the use of equipment and networks. I argued just such a point with a client once and even performed a breach of security simulation to prove the point. The exercise consisted of USB sticks strewn across their parking lot, with the hope that a few unsuspecting employees would pick them up and attempt to read the data. Approximately a dozen employees were detected by the client’s endpoint security software plugging the USB sticks into their computers. The exercise showed that no crime had been committed according to their definition as neither a computer nor a network was used to commit the offense. Their legal department agreed and subsequently made modifications to their definition of cybercrime. How do you feel your employees would do with a similar test?
1.2.3 Creating a Strong Cybercrime Definition
Depending on geographical location and jurisdiction, cybercrime definitions vary. You will want your cybercrime definition to hold true regardless of the rapidity of legislative and technological change, as well as adhere to multiple legal jurisdictions. Consider peer-testing your cybercrime with a definition that I have developed over my career of working with numerous companies. This definition has evolved from dozens of legal department reviews:
Cybercrime is a criminal act in which computerized equipment, automated service, or communications mechanism is either the object or the means of perpetrating legal or regulatory restricted or prohibited offenses.
Such a definition has a number of advantages:
• Including the word offenses in the definition rather than citing specific examples such as theft or fraud makes the definition timeless.
• The use of the words equipment, service, and communications frees the definition from being dependent on specific technologies.
• You will not need to cite specific examples such as cybertheft or computer fraud in your definition, as those examples will always be a crime regardless of a cyber component.
To ensure that your cybersecurity program defines cybercrime adequately in an actionable sense, be sure to validate the definition with your company lawyers.
1.2.4 Cybercrime Categories in the Incident Response Plan
Once you have a vetted and approved cybercrime definition, don’t forget about identifying the likely types of cybercrimes to which your organization is exposed. Naming cybercrimes within the definition will burden the description unduly by limiting its applicability and usefulness, which is why it is important to identify them separately. The proper place to address the identified cybercrimes is in your company’s incident response plan, a set of instructions or tasks specifying the actions necessary to respond to a specific security emergency. Emergencies could include virus outbreaks, loss or theft of an employee-assigned laptop containing sensitive information, or a ransomware attack. Using a risk assessment as your guide, focus on the cybercrimes with the highest possible likelihood of occurrence which have a correspondingly high potential of impact.
To aid in the identification of cybercrimes, you will find it helpful to examine the four primary categories:
1. Personal Cybercrimes. These types of crimes target people and consist of cyberbullying, cyberstalking, identity theft, identity impersonation, fraud scams, data theft, ransomware attacks, etc.
2. Institutional Cybercrimes. These types of crimes target companies or governments and consist of denial of service attacks, cybervigilantism, cyber terrorism, cyber-slander, hacktivism, website defacement, etc.
3. Property Cybercrimes. These types of crimes target digital property and consist of data theft, computer sabotage, data destruction, etc.
4. Inchoate Cybercrimes. Inchoate is a specific legal term that is used to describe crimes that have been started, but not completed. An example of this type of crime would be where a hacker has completed the initial steps of an attack of a network or computer (target). These steps could include scanning a target for potential vulnerabilities, verifying the vulnerabilities exist on the target, and installing malicious software to siphon away confidential data. In this example, all the hacker would need to do to complete the crime is activate the malicious software remotely. What would make this an inchoate crime is that the last step of activating the malicious software is never completed. Despite the fact that such crimes are incomplete and no harm as yet occured, they were nonetheless attempted, demonstrating a substantial criminal effort was under way. Inchoate crimes also include cyber conspiracy, cybersolicitation, cyberstalking, and other types of attempted crimes.
TIP: The tone and scope of a cybersecurity program start with a proper cybercrime definition. The definition will shape the construction of information and asset protection policies and practices. Address specific high-risk cybercrimes within your incident response plan.
1.3 Understanding the Four Basic Elements of Criminal Law
It would be nearly impossible to build connections to the law in your cybersecurity plan without at least knowing the fundamentals of criminal law. If you know how the legal system determines guilt or innocence, you can better create a cybersecurity program with appropriate enforcement mechanisms.
One of the biggest disconnects in cybersecurity programs and the law is in the area of security policies. You will need to ask yourself if the security policies of your company hold employees to a higher standard than the law or if you would terminate an employee violating a policy without criminal intent. Policies will be discussed more in Chapter 6.
The four elements of criminal law which you should be familiar with are mens rea, actus reus, concurrence, and causation. It is advisable for you to use these four elements of criminal law as your security policy enforcement standard to avoid legally contested terminations resulting from a security policy violation.
1.3.1 Mens Rea
The first element of criminal prosecution is proving mens rea or a guilty state of mind of the offender. However, as cybercriminals operate remotely and generally without witnesses, it is nearly impossible to prove their intent or state of mind during the commission of their hacking into a computer system or network. You may also think of this as the evil intent of the offender.
1.3.2 Actus Reus
Actus reus is the second and the most critical element of pursuing a case against an unknown subject (unsub) or perpetrator. Simply put, actus reus is the criminality of the offense itself where law enforcement collects the evidence and witness testimony necessary to prove beyond a reasonable doubt that one or more individuals committed the crime. Unfortunately, existing laws all but make it impossible for prosecutors to establish actus reus due in part to the ease with which criminals can cover their digital tracks or evidence. Uncovering evidence requires highly experienced forensic investigators. See Chapter 4 for more detail on digital forensics.
1.3.3 Concurrence
The third element of a crime is concurrence. As if mens rea and actus reus were not difficult enough to determine individually, prosecutors also need to show they occurred at the same time – the element of concurrence. Offenders cannot be found guilty without a direct connection between the mens rea and actus reus elements of a crime, or in other words they had the intent to violate a law as well as cause harm. Early computer criminals were often found not guilty because prosecutors could not prove both their evil intent and evil acts.
1.3.4 Causation
Causation is the fourth element of an offense and one of the most difficult to prove. Here, prosecutors must prove the criminal activity and the outcome or detrimental effects of that activity. Causation is essentially actus reus in association with harm. The difference between the elements of concurrence and causation may seem subtle, but it is significant. Concurrence just means that two things must happen at the same time. Causation is the conduct of the perpetrator and the result of his or her act. You may think of this as the harm caused to people or property as a result of a criminal activity.
1.4 Branches of Law
You will encounter three basic types of law in cybersecurity: public, private, and regulatory.
• Public cyberlaw refers to cybercriminals and the government. Public law is part of the criminal legal system allowing the government to bring an action against those that violate cybersecurity and privacy laws.
• Private cybersecurity law applies to companies with respect to their obligations and contracts. Private law, part of the civil legal system, allows companies to resolve common law disputes also called tort law.
• Regulatory law, also known as administrative law, sets out the rules and regulations prescribed by various governmental agencies.
1.5 Tort Law
Up to this point, you have learned how cyberlaw relates to criminals, but how does cybersecurity law relate to your organization? Organizations can be held liable for a cyberattack. The last thing you would want to occur after surviving an attack is to face a lawsuit for causing and contributing to the cyberassault.
A tort is a civil wrong that happens when a group or individual