Data scientists, heuristic analysis, APTs, ransomware; no doubt information security intrigues us with sexy wrapping. The unfortunate reality is that the bulk of a security engineer’s laborious task of protecting sensitive information is spent on basic blocking and tackling, while being bound by governmental and regulatory rules. Regardless of the lens through which you view your work, reducing information systems risk to an acceptable level is your job. That risk includes a legal aspect. My THOTCON session will prepare you for the challenges (and too often, the surprises) of legal risk. The most troubling legal challenge for Information Security and Risk Management teams has its roots in privacy law. Privacy law addresses both data protection and data breach notifications. Jurisdiction complexity compounds the legal challenge. I’ll elaborate using an extreme case such as a law firm with healthcare, banking and intellectual property practices. As their attorney, the law firm will be storing their clients’ customer/client/patient data [including personal identification information, financial information and healthcare information]. In the Information Age, doing business on the Internet results in customers that may well be geographically dispersed, sometimes even globally. From a governmental perspective, the law firm may have unique data breach notification requirements that encompass all 50 United States, Europe and the Pacific Rim. Privacy legislation is evolving beyond data breach notifications. As an example, Kentucky's new data protection law will also provide protection on how student data that is stored in the cloud may be used. Almost all of the United States have more than one new privacy law pending and to further complicate your legal responsibilities, government is only one-side of the jurisdictional complexity equation. An IT organization may also be scrutinized by one or more regulatory standards such as PCI, GLBA, HIPAA, CJIS or others, which are also on a trend towards stricter requirements.
Once you’ve gained comprehensive knowledge of privacy law, you’ll need to integrate those legal requirements into your Incident Response Plan. On that note, after all you have invested in protecting sensitive data, I expect you will want to go for the throat of the guilty culprit. Just like our real world, “CSI cyber-space” must adhere to the legal requirements of the judicial system. Event logs are an excellent form of evidence during prosecution, but only if you’ve documented the chain of custody, including hash files that can prove your electronic evidence was not tampered with. Legal battles aren’t always us versus them. Employer – employee relationships include a legal perspective that cannot be overlooked. Providing employees with internet access is a double-edge sword. A lack of internet access is a huge turn off for most young employment candidates. Unfortunately, employers who open up their internet connection to employees, may well be opening up Pandora’s Box. Consider the potential for productivity to tank when an employee’s workspace becomes a virtual hang out with friends on Facebook. What legislation [if any] addresses employees posting sensitive corporate data or negative comments pointed at their employer on social networking sites? Freedom of speech? What is legally acceptable in a work contract? How can corporate policy prevent employee initiated corporate damage? Now consider that it’s a two way street: employers are beginning to demand candidate employees’ social networking credentials. Is this legal? GPS on your mobile device? Are you being tracked? Stalked? It is important that both employers and employees be aware of the legal aspect of internet activity and protection of sensitive data, while concurrently respecting privacy. What will the future hold? Is it possible that someday the company will be held liable if an employee doing personal banking on a corporate workstation over the company’s internet connection becomes the victim of fraud? Can an employee’s perception of the company’s “secure internet connection” result in the employer’s responsibility? If we still have time and the audience has interest, I will be prepared to address the significant increase in cybersquatting due to ICANN [The Internet’s governing body] promoting an influx of new top level domains. There are laws to protect your Web trademark [aka domain name]. Know them so your company can protect their hard earned, marketing investment. The legal vector intersects our information security endeavor at numerous touch points. During my THOTCON session I will address each point, while connecting the dots and thereby arming you with a holistic picture of the legal aspect of information security.