Additional Legal Considerations

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
15 hours 43 minutes
Difficulty
Advanced
CEU/CPE
16
Video Transcription
00:00
>> We have a few additional legal considerations
00:00
wrapping up this topic.
00:00
Here, we'll talk about some thoughts with export and
00:00
import in relation to cybersecurity,
00:00
specifically thinking about cryptographic algorithms,
00:00
and then we'll talk about some of
00:00
these industry specific regulations
00:00
that I've alluded to earlier.
00:00
Alright, now, there was an agreement
00:00
at one point in time and it actually still exists,
00:00
although it's been modified a little bit.
00:00
It's something called the Wassenaar agreement.
00:00
The Wassenaar agreement made it illegal
00:00
to export munitions to terrorist states.
00:00
That makes sense, don't send
00:00
munitions to terrorist nations.
00:00
But where it became interesting and relevant
00:00
to us is that it considered
00:00
cryptosystems that could provide greater than
00:00
40 bit encryptions, considered those munitions.
00:00
The Wassenaar agreement made it
00:00
illegal to support perhaps
00:00
operating systems or software
00:00
that could provide strong encryption,
00:00
we couldn't export those just anywhere we wanted.
00:00
Basically, the Wassenaar agreement is
00:00
still relatively enforced today,
00:00
but the degree of cryptography
00:00
that's considered to be strong encryption,
00:00
there are still countries that
00:00
we can't export greater than 40.
00:00
It maybe 56-bit, 128-bit.
00:00
To other countries, it really just depends.
00:00
A lot of times, this is something that changes just
00:00
based on what's going on
00:00
>> in the world at any given time.
00:00
>> I remember this back in the '90s,
00:00
it was with Windows 95.
00:00
I remember we had
00:00
a multinational corporation and we
00:00
were getting ready to ship off some software,
00:00
and we had an international copy of Windows 95.
00:00
On the front, at that little red sticker with
00:00
the white writing and it essentially said,
00:00
"This version of Windows only provides 40-bit
00:00
encryption," and that was to
00:00
be in compliance with the Wassenaar agreement.
00:00
Now, there are also some countries that restrict how
00:00
strong the cryptographic tools
00:00
>> that can be imported are.
00:00
>> For instance, in the Middle East at one point in time,
00:00
early 2000s, they restricted
00:00
import of the BlackBerry devices
00:00
that were very popular at one point in time.
00:00
The reason for that is BlackBerry's messenger
00:00
used quite a strong encryption algorithm called RSA,
00:00
which provides 2,048-bit encryption.
00:00
Countries would not allow that to be imported
00:00
because of course the idea is
00:00
with that strong encryption,
00:00
they wouldn't be able to break the encryption.
00:00
It's always interesting to me because if I wont
00:00
allow encryption of a certain strength
00:00
to come in because I can't break it,
00:00
then the assumption would be,
00:00
the cryptography that I allow is something I can break.
00:00
Then I always shows you different
00:00
countries in their approach
00:00
and their consideration of privacy.
00:00
There's always been a back and forth
00:00
between the privacy community and government.
00:00
I am not a conspiracy theorist,
00:00
but I would certainly argue that government entities
00:00
would prefer to be able to
00:00
>> crack any form of encryption.
00:00
>> Anything that I encrypt,
00:00
the government would like to be able to decrypt.
00:00
Of course, they'd never misuse
00:00
that information or anything like that.
00:00
But in matters of national security,
00:00
>> that's the argument.
00:00
>> The privacy community essentially says, "No,
00:00
I can protect my information from
00:00
the government as well," and the government says,
00:00
"Tell us all your secrets."
00:00
What you'll see is this push and pull.
00:00
The Wassenaar agreement came out
00:00
of things were going
00:00
on politically in the world at that point in time.
00:00
Also in the '90s,
00:00
we saw the advent of something called the Clipper chip,
00:00
and the government had proposed that
00:00
Clipper chip be fitted
00:00
onto all electronic systems
00:00
that could provide encryption,
00:00
and the keys to decrypt anything
00:00
encrypted on that system would
00:00
be stored on the Clipper chip.
00:00
Then if the government was able
00:00
to subpoena the manufacturer,
00:00
then the manufacturer would be forced to turn
00:00
over the key to the Clipper chip,
00:00
thus unlocking the keys to everything
00:00
encrypted on that system thus
00:00
providing a government back door
00:00
into all encrypted communications.
00:00
That was not well received, shockingly enough.
00:00
Ultimately, the Clipper chip
00:00
was declared dead in the mid '90s.
00:00
But that just shows you that the government is always
00:00
going to push to be able to decrypt
00:00
>> what we can encrypt.
00:00
>> It's up to us and
00:00
the privacy community to take that stand and say, "No,
00:00
we have a right to protect our information,
00:00
even when it comes to
00:00
protecting information from the government."
00:00
We'll always see that push and pull.
00:00
Now, other considerations with employees,
00:00
and I'd mentioned this a little bit earlier.
00:00
But from a legal standpoint,
00:00
we have to be very
00:00
considerate of the privacy of our employees.
00:00
If we're going to infringe upon that privacy,
00:00
then we have to have a legitimate business
00:00
need to do so,
00:00
and most importantly, we must notify those employees.
00:00
If I'm going to monitor
00:00
telephone calls or emails, we need notification.
00:00
Also keep in mind that if it's two party communication,
00:00
some states require both parties to be notified.
00:00
We always want to err on the side of caution.
00:00
That's why you call in with customer service,
00:00
and you always get that recording that says
00:00
this call may be monitored
00:00
>> for quality control purposes.
00:00
>> That's where they are notifying you and keeping
00:00
up with their end of the bargain.
00:00
It's not required in all states.
00:00
But again, we'd rather be err on the side of caution.
00:00
Notification is hugely important
00:00
in relation to employee and customer privacy.
00:00
We've got some regulations
00:00
that we want to mention, again,
00:00
going into or spawning from the fact that
00:00
we don't have federal privacy laws.
00:00
We have industry specific regulations that
00:00
address privacy of personal health care,
00:00
personal financial,
00:00
and personally identifiable information.
00:00
We have HIPAA.
00:00
HIPAA is for personal health care information,
00:00
and it applies to health insurance companies,
00:00
the health care providers,
00:00
and then we have what are called
00:00
health care clearing houses,
00:00
and these are the organizations that batch
00:00
process forms related to health care information.
00:00
Being found liable under
00:00
the HIPAA Act is
00:00
only going to apply to those three entities.
00:00
Now, down at the bottom,
00:00
we've got a bullet point
00:00
that says liabilities can't be outsourced.
00:00
Absolutely. I can transfer risk and
00:00
outsource specific functions and
00:00
share the loss potential with another organization.
00:00
However, if I'm the health insurer
00:00
that collected this information
00:00
or the health care provider,
00:00
I'm still liable for the protection of that data.
00:00
For instance, let's say you're my patient,
00:00
I collect your medical records,
00:00
and I decide that I have
00:00
too many medical records to process in-house.
00:00
I might hire another firm to do the processing.
00:00
That firm, even though they
00:00
may give me a service level agreement
00:00
and commit a certain degree of service to me,
00:00
they're not liable under
00:00
HIPAA as I am the health care provider.
00:00
Now, there's certain extensions to HIPAA.
00:00
We have the HITECH Act,
00:00
and that's a fluid situation.
00:00
I hate to say this is the law.
00:00
Let's think in terms of best practices.
00:00
When I'm the owner of the data,
00:00
I'm the one who's liable for it.
00:00
Just because I outsource
00:00
data processing or storage somewhere else,
00:00
that does not alleviate my responsibility.
00:00
That's a good way to think about it.
00:00
Now, in addition to health care,
00:00
we have the Gramm-Leach-Bliley Act.
00:00
You may see it abbreviated as GLBA.
00:00
This is to ensure that our bank,
00:00
our financial organization, can't
00:00
share information with other organizations.
00:00
Make sure that our financial information and
00:00
our personally identifiable information is protected.
00:00
If you've ever done any sort of applying for
00:00
a loan online or refinancing your house or that,
00:00
usually or traditionally,
00:00
those documents have had to have been signed in
00:00
person because we didn't have
00:00
a strong way to ensure
00:00
>> the security of digital documents.
00:00
>> Now, they generally have secure formats that require
00:00
digital signatures and many more safeguards protecting,
00:00
and that's because of the Gramm-Leach-Bliley Act,
00:00
making sure that our financial institutions
00:00
protect our financial information.
00:00
Alright, another law to consider is a trade secret law.
00:00
This can go back under
00:00
intellectual property and kind of think about it here.
00:00
But our trade secrets are what
00:00
provides our company competitive value.
00:00
Our secrets, our processes.
00:00
Again, that idea that
00:00
these trade secrets must be protected,
00:00
must not be obvious.
00:00
All those same elements are relevant.
00:00
Then I also mentioned very briefly
00:00
the Payment Card Industry Data Security Standard.
00:00
This is for the payment card, credit card,
00:00
debit card industry, and all
00:00
of those vendors that accept payment cards.
00:00
Now, what's important to know here is
00:00
the payment card industry is not federally regulated.
00:00
It is self-regulated, which means Visa, MasterCard,
00:00
American Express from the big players
00:00
have come together to develop
00:00
the data security standard to
00:00
protect payment card information,
00:00
account numbers, personal financial information.
00:00
Vendors agree to adhere to
00:00
the Data Security Standard via contract.
00:00
If a vendor is proven
00:00
to not follow the rules of the data security standard,
00:00
then their privilege of
00:00
accepting payment cards can be revoked.
00:00
If you could think about that in today's environment,
00:00
not being able to take credit cards or debit cards,
00:00
especially for an online business,
00:00
that would be crippling.
00:00
The vendors have that vested interest in
00:00
making sure they can keep their payment card steps.
00:00
The PCI DSS can be referred to as a framework,
00:00
and our framework again gives us
00:00
those broad guidelines of
00:00
what we need to develop and establish.
00:00
PCI DSS has six core principles.
00:00
I don't foresee these coming
00:00
up on the test, but just again,
00:00
to help you see this as a framework,
00:00
those are the principles.
00:00
Alright, so we have talked about
00:00
additional legal considerations like some of
00:00
the things to be concerned with importing
00:00
and exporting of cryptosystems,
00:00
and then we also look at some of
00:00
the industry-specific regulations like HIPAA,
00:00
Gramm-Leach-Bliley, and so on.
Up Next