GEORGE MASON AMERICAN INN OF COURT WHAT YOU NEED TO KNOW ABOUT CYBERSECURITY November 28, 2017 Team Members: Honorable John M. Tran Jay V. Prabhu, Esq. Steve Britt, Esq. Ryen Rasmus, Esq. (Team Leader) Louise T. Gitcheva, Esq. Philip Abbruscato (Student Member) Kyle Armstrong (Student Member) Danny Alvarado (Student Member) 1 I. Regulatory Framework – United States Cyber security laws a. 2002 Homeland Security Act, which included the Federal Information Security Management Act (FISMA): Applies to every government agency, “requires the development and implementation of mandatory policies, principles, standards, and guidelines on information security” to ensure the security of data in the federal government. i. The act requires program officials, and the head of each agency, to conduct annual reviews of information security programs, with the intent of keeping risks at or below specified acceptable levels in a cost-effective, timely and efficient manner. b. Cybersecurity Information Sharing Act (CISA): Authorizes companies to monitor and implement defensive measures on their own information systems to counter cyber threats. i. CISA provides certain protections to encourage companies voluntarily to share information—specifically, information about “cyber threat indicators” and “defensive measures”—with the federal government, state and local governments, and other companies and private entities. ii. These protections include protections from liability, non-waiver of privilege, and protections from FOIA disclosure, although, importantly, some of these protections apply only when sharing with certain entities. c. Cybersecurity Act of 2015: Establishes a voluntary framework for confidential, two-way sharing of cyber threat information between private sector and U.S. government, via a Department of Homeland Security portal; offers protection from liability for sharing. d. Computer Fraud and Abuse Act: Whoever intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains information from any protected computer if the conduct involved an interstate or foreign communication shall be punished under the Act. e. Foreign Intelligence Service Act (FISA): Designed primarily for intelligence gathering agencies to regulate how they gain general intelligence about foreign powers and agents of foreign powers within the borders of the United States. f. Electronic Communications Privacy Act (ECPA): Handle electronic surveillance, interceptions, and access to data, for domestic law enforcement purposes for criminal investigations involving people in the United States g. PATRIOT Act: Allows federal officials greater authority in tracking and intercepting communications, both for purposes of law enforcement and foreign intelligence gathering. h. Wiretap Act: Regulates the interception of a communication through the use of any electronic, mechanical or other device. Applies when communications are intercepted contemporaneously with their 2 transmission. Once the communication is completed and stored, the Wiretap Act no longer applies. i. To allow a wiretap, a judge must find probable cause and that the particular communication concerning the offense will be obtained through the interception. 1. Alternatives to wiretapping must have been attempted and failed, or reasonably appear to be unlikely to succeed or to be too dangerous. 2. The order can last for up to 30 days and can be renewed. II. State laws: Fills in the gap of federal law, but can set de facto national standards a. Virginia: i. Virginia Personal Information Data Privacy Notification And Encryption Laws: Va. Code § 18.2-186.6 1. Unlike similar state laws, this includes a provision for imposing financial penalties for noncompliance ii. Virginia Compute Crimes Law 1. Covers the intentional trespassing into computer network, use of a computer for fraud, and various other crimes involving a computer are prohibited under state laws. 2. In Virginia, computer crimes also include invasion of privacy and computer harassment. The state separates offenses into misdemeanors and felonies, with the more serious crimes involving theft. Attempt is not considered a crime, but Virginia does allow civil lawsuits for damages related to computer crimes. III. Key Industries with Cyber Security Regulations a. Healthcare: Controlled under the 1996 Health Insurance Portability and Accountability Act (HIPAA). i. Regulates medical information. It can apply broadly to health care providers, data processors, pharmacies and other entities that come into contact with medical information. The Standards for Privacy of Individually Identifiable Health Information apply to the collection and use of protected health information. The Security Standards for the Protection of Electronic Protected Health Information provides standards for protecting medical data. The Standards for Electronic Transactions applies to the electronic transmission of medical data. These HIPAA rules were revised in early 2013 under the HIPAA “Omnibus Rule”. ii. The HIPAA Omnibus Rule also revised the Security Breach Notification Rule which requires covered entities to provide notice of a breach of protected health information. Under the revised rule, a covered entity must provide notice of acquisition, access, use, or disclosure of PHI in a manner not permitted under the Privacy Rule, unless the covered entity or business associate demonstrates that there is a low probability that the protected health information has been compromised. 3 b. Insurance and Financial Services: Must comply with the Gramm-Leach- Bliley Act which requires financial institutions – companies that offer consumers financial products or services like loans, financial or investment advice, or insurance – to explain their information-sharing practices to their customers and to safeguard sensitive data. c. Telecommunications Carriers: Current communication cybersecurity issues involve the management and transfer of customer databases, the appropriate uses of position-location technology, and special statutes such as the Cable Television Consumer Protection and Competition Act governing cable subscriber information or, under the Communications Assistance for Law Enforcement Act (CALEA) establishing technical facilities cooperation responsibilities. i. CALEA requires a “telecommunications carrier,” to ensure that equipment, facilities, or services that allow a customer or subscriber to “originate, terminate, or direct communications,” enable law enforcement officials to conduct electronic surveillance pursuant to court order or other lawful authorization. ii. CALEA is intended to preserve the ability of law enforcement agencies to conduct electronic surveillance by requiring that telecommunications carriers and manufacturers of telecommunications equipment design and modify their equipment, facilities, and services to ensure that they have the necessary surveillance capabilities as communications network technologies evolve. iii. CALEA is limited to Telecommunications Carriers as defined by the Act and interpreted by the FCC. In addition, CALEA specifically exempts “Information Services”, which includes many Internet based communications service providers, electronic storage providers and electronic messaging services. d. Government Contracts: Federal contractors are increasingly targeted by cyber attacks due to the sensitive nature of government information that is generated, received and stored on their systems. In response to these attacks, as well as high-profile attacks on government-owned information systems and insider threats, the government has adopted stringent information security protocols and cyber incident reporting obligations. i. On May 16, 2016, the Federal Acquisition Regulation (FAR) was amended to implement requirements for the “Basic Safeguarding of Covered Contractor Information Systems” to apply to all government contractors. The intent is to establish basic safeguarding measures that are (or should be) generally employed by contractors as part of “routine” business practices – the rule is a baseline and does not impact other more specific federal information safeguarding requirements. IV. Model Rules of Professional Conduct – Cybersecurity and an attorney’s duty to safeguard confidential data of clients 4 a. Rule 1.1 Competence a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology...” i. “A lawyer shall provide competent representation to a client.” This “requires the legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation.” It includes competence in selecting and using technology. It requires attorneys who lack the necessary technical competence for security to consult with qualified people who have the requisite expertise. b. Rule 1.6 Confidentiality of Information: “(c) A lawyer shall make reasonable efforts to prevent the unintended disclosure of, or unauthorized access to, information relating to the representation of a client.” i. Aug. 2012 addition to Comment [18] 1. “reasonable efforts” considers, the sensitivity of the information. the likelihood of disclosure if additional safeguards are not employed and safeguards (cost, difficulty of implementing, and extent to which they adversely affect the lawyer’s ability to represent clients) c. Rule 1.4 Communication: Requires appropriate communications with clients “about the means by which the client's objectives are to be accomplished,”
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages250 Page
-
File Size-