Part 3 - Legal Concepts Relative to Cybersecurity

Video Activity

This lesson covers legal concepts relative to cyber security and covers the following: 1. Duty: does the defendant have the responsibility to protect information? 2. Negligence: Is there evidence that the defendant did not fulfill his or her duty of care? 3. Damage: did the plaintiff suffer quantifiable harm? 4. Cause: Can the breach of duty relate...

Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
48 minutes
Difficulty
Advanced
CEU/CPE
1
Video Description

This lesson covers legal concepts relative to cyber security and covers the following: 1. Duty: does the defendant have the responsibility to protect information? 2. Negligence: Is there evidence that the defendant did not fulfill his or her duty of care? 3. Damage: did the plaintiff suffer quantifiable harm? 4. Cause: Can the breach of duty related to the damages be considered a primary cause?

Video Transcription
00:04
before we dive into the legal concepts, their relative to cyber security. A little disclaimer.
00:09
I do not claim to be an attorney, nor do I play one on television. However, if I were, it's important to know that all details contained in this training are based upon open source information,
00:29
then with attribution.
00:30
They should not be construed as legal advice or legal guidance. It's merely for informational purposes on Lee.
00:37
Okay, so now let's talk about legal concepts relative to cyber security.
00:43
I'm going to preface this section by highlighting for you that about several years ago I apply these same concepts in the pursuit of a pro se case. Which means I filed all my own
00:55
against a company whose poor cyber hygiene allowed for the unauthorized disclosure of my personal information.
01:02
Well, the terms of settlement included in a non disclosure agreement,
01:04
so I cannot disclose who is involved. But I can advise is the fact that when you add up what I was compensated,
01:12
plus the estimated legal fees for them to defend their position a simple database configuration that cost $1800 to resolve
01:22
wind up costing this business approximately $113,000.
01:27
You've probably heard the term due diligence.
01:30
Everyone loves to throw this one around.
01:33
There's just one problem.
01:34
It is only a fraction of the equation
01:38
when assessing a claim of negligence.
01:42
Now we're gonna be talking about this equation later in the session, actually on the next slide. But let's face it
01:48
would've business owners to actually care about
01:51
the bottom line.
01:52
And make no mistake, it lawsuit hits that bottom line.
01:56
What most board members know is the term duty of care,
02:00
and this is sometimes also referred to as the standard of care.
02:05
I will give you a couple of seconds to review this passage.
02:15
Now let's examine the four elements that can lead to a civil or even criminal case based on negligence
02:22
to the organization. Heavy duty to protect
02:24
a great example here is if you maintain, transmit
02:28
or receive credit card information.
02:30
Negligent
02:32
An example may include a utility company had not yet patched a year old vulnerability on a server
02:38
that resulted in an elderly homeowner freezing to death
02:43
because the power was shut off.
02:45
Damage
02:46
damages the cornerstone argument. But where so many prior cases before target have failed,
02:52
people have been launching civil cases against companies like Heartland TJ Maxx in others for years. Why do these cases keep getting thrown out of court?
03:02
Because the judges have ruled that a cardholder
03:06
who experiences fraud due to a breach
03:08
has been exposed to an inconvenience
03:13
and not necessarily harm.
03:15
And the reason why is because the banks reimburse their customers.
03:20
And finally, cause
03:23
is the basis of the negative action directly tied to the offending party
03:28
here.
03:29
Was there contributory negligence? What that means is okay, So, yes, you had your bank account
03:36
that got hacked.
03:38
But you were also looking at a pornographic website and were infected with malware.
03:42
So now you have contributed, albeit unintentionally,
03:46
to the act, resulting in fraud
03:49
against your own account. On the prior slide, I made reference to the term due diligence.
03:55
So what exactly is due diligence
03:59
in layman's terms?
04:00
What would be reasonable, imprudent person do under the same circumstances?
04:05
If you maintain, store or transmit credit card data,
04:11
should you do a penetration test?
04:14
A reasonable and prudent person? What? Because you want to make sure that you can protect
04:18
the data.
04:19
Now let's talk about do care.
04:21
The fact that he did Penn test doesn't mean that that's where it stops. You obviously have results from that examination.
04:30
Do you care?
04:31
Is a premise based on what do you do after the fact? So now that you found some weaknesses, what have you as a reasonable, imprudent person done
04:44
to be able to rectify the situation?
04:46
Now,
04:47
the fact that an organization did not take remediate of action does not necessarily mean that they're negligent.
04:56
However,
04:58
if that same organization does not properly document
05:01
the rationale as to why they did not remedy the situation and how that conclusion was based on risk bringing checkbook because when you go to court, you better have a lot of room for a number of zeros in that check.
05:15
So ultimately, what we're left with is the equation that due diligence plus vieux care actually equals the duty of care.
05:24
Okay, I get it. There's always gonna be a number of individuals
05:28
they were going to take the position of.
05:30
Well, if I don't do a penetration test, I won't know about where my weaknesses are. And if I don't know about it, then I can't be hold accountable for it. right.
05:41
Well, we're gonna explore these legal concepts and how they apply in recent court cases. And if you still feel that way after the end of the session,
05:49
more power to you. While there are many more cases than when I am highlighting that pertained to cases on cybersecurity breaches, I'm only focusing on these five examples
05:59
because they were highly publicized
06:01
or
06:02
noteworthy for this session.
06:04
The first case we will examine is the state of Maine's Public Utility Commission versus Verizon.
06:10
So here's essentially happened.
06:12
Verizon leases the lines from the state of Maine and has charged, I think back in 3 $67,000 a month or somewhere around that dollar value
06:23
some of you may recall back in the early two thousands
06:26
mass propagation of worms.
06:29
This is back in the days of Code Red and Nimda.
06:32
Well, in this particular instance, this is when the slammer worm was running wild.
06:39
The patch that was available to remedy the Microsoft for ability have been around for over a year.
06:46
Unfortunately for Verizon, they did not patch
06:49
and
06:50
their systems got crushed. As a result,
06:54
they were unable to use their infrastructure
06:57
so When the bill came in for $65,000
07:00
they fought it. When I went to arbitration,
07:03
the presiding judge was able to notice that
07:06
A. T and T
07:09
applied the patch
07:10
and they went unharmed.
07:12
M. C I telcom, apply the patch and they also
07:16
were unharmed.
07:17
So the presiding arbitrator basically took the position of saying So Let me get this straight. These guys apply the patch, they're safe,
07:26
you don't apply the patch
07:29
and somehow you still expect a favorable ruling. So by comparing 18 T and empty eye tooth horizon, this commission essentially leverage what is known as a neighbor policy. What would be reasonable, imprudent person do in the same line of business with the same scope and charter?
07:46
The presiding judge also went on to advise that these tacks are foreseeable
07:50
in preventable.
07:53
So much for sticking your head in the sand. This was a big first step because for the first time, the bench is essentially saying a private enterprise impacted by a cyber threat
08:03
had contributory negligence and therefore they had no claim of harm. In 2007 you may recall a class action lawsuit that was brought against TJ Maxx again because of a massive
08:16
that
08:18
this is one of the first cases seeking tens of millions of dollars and sanctions for a claim of negligence
08:24
estate in earlier slides. Because the banks did not file on Lee, the consumers
08:31
no tangible harm could be shown
08:33
only an inconvenience,
08:35
and as a result,
08:37
the case was thrown out. A similar event took place in 2009 with the Heartland Corporation
08:45
again, another cyber breach.
08:48
While the same disposition of not finding adequate grounds to show Herm was present,
08:54
there is interesting to note that just prior to this breach, hurt land actually passed a PC I audit with flying colors.
09:03
Now this is very important to know, because simply saying you are quote unquote compliant
09:11
does not negate a civil claim against your organization.
09:15
So in layman terms,
09:16
you don't have any safe harbor agreement just because you're compliant.
09:22
It may give you cover from the PC I Data Security Council, but it will not protect you against 47 state attorney generals
09:31
or protection from
09:33
private class action lawsuits.
09:35
Keeping a mind you can't really fault the PC I auditors. In this scenario, either
09:39
the auditors can only examine what is within the scope of the network that processes the credit card data
09:46
with Heartland.
09:48
The vector of attacks stem from preaching a week database configuration that apparently was connected to another database that was, in fact, within the scope of the PC I assessment.
10:01
So the auditor is not aware of that connective ity.
10:05
They can't really be held accountable for that gap in knowledge. Now, in 2013
10:11
we have target. Not sure if you're aware of this or not. But
10:16
from the time that this breach was made public in just 10 calendar days, Target stock dropped from around $63 a share
10:24
2 $50 this year.
10:26
And unlike TJ Maxx and Heartland, in this case that banks actually did file suit against Target, it survived basically the first reviews by the court,
10:37
and it's ultimately up the value. The claim
10:39
and Target settled this case with publicly farming with publicly disclosed expenses in the range of over $250 million
10:50
and as a refresher again, target was also PC I compliant.
10:56
How did they get breached?
10:58
1/3 party, Business Associates network that managed their H back on the refrigerators and freezers and the target stores
11:05
was compromised.
11:07
So by being able to compromise a business associate, they re able to successfully penetrate
11:13
Target's network
11:15
and obtained a credit card details
11:18
and finally, in 2014
11:20
Home Depot.
11:22
The key finding to note in this case is that while harm to consumers was highly questionable,
11:28
they're a violation of numerous date disclosure laws was, in fact self evident.
11:33
This resulted in a settlement of over $19 million.
Up Next
Corporate Cybersecurity Management

Cyber risk, legal considerations and insurance are often overlooked by businesses and this sets them up for major financial devastation should an incident occur.

Instructed By