before we dive into the legal concepts, their relative to cyber security. A little disclaimer.
I do not claim to be an attorney, nor do I play one on television. However, if I were, it's important to know that all details contained in this training are based upon open source information,
then with attribution.
They should not be construed as legal advice or legal guidance. It's merely for informational purposes on Lee.
Okay, so now let's talk about legal concepts relative to cyber security.
I'm going to preface this section by highlighting for you that about several years ago I apply these same concepts in the pursuit of a pro se case. Which means I filed all my own
against a company whose poor cyber hygiene allowed for the unauthorized disclosure of my personal information.
Well, the terms of settlement included in a non disclosure agreement,
so I cannot disclose who is involved. But I can advise is the fact that when you add up what I was compensated,
plus the estimated legal fees for them to defend their position a simple database configuration that cost $1800 to resolve
wind up costing this business approximately $113,000.
You've probably heard the term due diligence.
Everyone loves to throw this one around.
There's just one problem.
It is only a fraction of the equation
when assessing a claim of negligence.
Now we're gonna be talking about this equation later in the session, actually on the next slide. But let's face it
would've business owners to actually care about
And make no mistake, it lawsuit hits that bottom line.
What most board members know is the term duty of care,
and this is sometimes also referred to as the standard of care.
I will give you a couple of seconds to review this passage.
Now let's examine the four elements that can lead to a civil or even criminal case based on negligence
to the organization. Heavy duty to protect
a great example here is if you maintain, transmit
or receive credit card information.
An example may include a utility company had not yet patched a year old vulnerability on a server
that resulted in an elderly homeowner freezing to death
because the power was shut off.
damages the cornerstone argument. But where so many prior cases before target have failed,
people have been launching civil cases against companies like Heartland TJ Maxx in others for years. Why do these cases keep getting thrown out of court?
Because the judges have ruled that a cardholder
who experiences fraud due to a breach
has been exposed to an inconvenience
and not necessarily harm.
And the reason why is because the banks reimburse their customers.
is the basis of the negative action directly tied to the offending party
Was there contributory negligence? What that means is okay, So, yes, you had your bank account
But you were also looking at a pornographic website and were infected with malware.
So now you have contributed, albeit unintentionally,
to the act, resulting in fraud
against your own account. On the prior slide, I made reference to the term due diligence.
So what exactly is due diligence
What would be reasonable, imprudent person do under the same circumstances?
If you maintain, store or transmit credit card data,
should you do a penetration test?
A reasonable and prudent person? What? Because you want to make sure that you can protect
Now let's talk about do care.
The fact that he did Penn test doesn't mean that that's where it stops. You obviously have results from that examination.
Is a premise based on what do you do after the fact? So now that you found some weaknesses, what have you as a reasonable, imprudent person done
to be able to rectify the situation?
the fact that an organization did not take remediate of action does not necessarily mean that they're negligent.
if that same organization does not properly document
the rationale as to why they did not remedy the situation and how that conclusion was based on risk bringing checkbook because when you go to court, you better have a lot of room for a number of zeros in that check.
So ultimately, what we're left with is the equation that due diligence plus vieux care actually equals the duty of care.
Okay, I get it. There's always gonna be a number of individuals
they were going to take the position of.
Well, if I don't do a penetration test, I won't know about where my weaknesses are. And if I don't know about it, then I can't be hold accountable for it. right.
Well, we're gonna explore these legal concepts and how they apply in recent court cases. And if you still feel that way after the end of the session,
more power to you. While there are many more cases than when I am highlighting that pertained to cases on cybersecurity breaches, I'm only focusing on these five examples
because they were highly publicized
noteworthy for this session.
The first case we will examine is the state of Maine's Public Utility Commission versus Verizon.
So here's essentially happened.
Verizon leases the lines from the state of Maine and has charged, I think back in 3 $67,000 a month or somewhere around that dollar value
some of you may recall back in the early two thousands
mass propagation of worms.
This is back in the days of Code Red and Nimda.
Well, in this particular instance, this is when the slammer worm was running wild.
The patch that was available to remedy the Microsoft for ability have been around for over a year.
Unfortunately for Verizon, they did not patch
their systems got crushed. As a result,
they were unable to use their infrastructure
so When the bill came in for $65,000
they fought it. When I went to arbitration,
the presiding judge was able to notice that
and they went unharmed.
M. C I telcom, apply the patch and they also
So the presiding arbitrator basically took the position of saying So Let me get this straight. These guys apply the patch, they're safe,
you don't apply the patch
and somehow you still expect a favorable ruling. So by comparing 18 T and empty eye tooth horizon, this commission essentially leverage what is known as a neighbor policy. What would be reasonable, imprudent person do in the same line of business with the same scope and charter?
The presiding judge also went on to advise that these tacks are foreseeable
So much for sticking your head in the sand. This was a big first step because for the first time, the bench is essentially saying a private enterprise impacted by a cyber threat
had contributory negligence and therefore they had no claim of harm. In 2007 you may recall a class action lawsuit that was brought against TJ Maxx again because of a massive
this is one of the first cases seeking tens of millions of dollars and sanctions for a claim of negligence
estate in earlier slides. Because the banks did not file on Lee, the consumers
no tangible harm could be shown
only an inconvenience,
the case was thrown out. A similar event took place in 2009 with the Heartland Corporation
again, another cyber breach.
While the same disposition of not finding adequate grounds to show Herm was present,
there is interesting to note that just prior to this breach, hurt land actually passed a PC I audit with flying colors.
Now this is very important to know, because simply saying you are quote unquote compliant
does not negate a civil claim against your organization.
you don't have any safe harbor agreement just because you're compliant.
It may give you cover from the PC I Data Security Council, but it will not protect you against 47 state attorney generals
private class action lawsuits.
Keeping a mind you can't really fault the PC I auditors. In this scenario, either
the auditors can only examine what is within the scope of the network that processes the credit card data
The vector of attacks stem from preaching a week database configuration that apparently was connected to another database that was, in fact, within the scope of the PC I assessment.
So the auditor is not aware of that connective ity.
They can't really be held accountable for that gap in knowledge. Now, in 2013
we have target. Not sure if you're aware of this or not. But
from the time that this breach was made public in just 10 calendar days, Target stock dropped from around $63 a share
And unlike TJ Maxx and Heartland, in this case that banks actually did file suit against Target, it survived basically the first reviews by the court,
and it's ultimately up the value. The claim
and Target settled this case with publicly farming with publicly disclosed expenses in the range of over $250 million
and as a refresher again, target was also PC I compliant.
How did they get breached?
1/3 party, Business Associates network that managed their H back on the refrigerators and freezers and the target stores
So by being able to compromise a business associate, they re able to successfully penetrate
and obtained a credit card details
and finally, in 2014
The key finding to note in this case is that while harm to consumers was highly questionable,
they're a violation of numerous date disclosure laws was, in fact self evident.
This resulted in a settlement of over $19 million.