Time
48 minutes
Difficulty
Advanced
CEU/CPE
1

Video Description

This lesson covers legal concepts relative to cyber security and covers the following: 1. Duty: does the defendant have the responsibility to protect information? 2. Negligence: Is there evidence that the defendant did not fulfill his or her duty of care? 3. Damage: did the plaintiff suffer quantifiable harm? 4. Cause: Can the breach of duty related to the damages be considered a primary cause?

Video Transcription

00:04
before we dive into the legal concepts, their relative to cyber security. A little disclaimer.
00:09
I do not claim to be an attorney, nor do I play one on television. However, if I were, it's important to know that all details contained in this training are based upon open source information,
00:29
then with attribution.
00:30
They should not be construed as legal advice or legal guidance. It's merely for informational purposes on Lee.
00:37
Okay, so now let's talk about legal concepts relative to cyber security.
00:43
I'm going to preface this section by highlighting for you that about several years ago I apply these same concepts in the pursuit of a pro se case. Which means I filed all my own
00:55
against a company whose poor cyber hygiene allowed for the unauthorized disclosure of my personal information.
01:02
Well, the terms of settlement included in a non disclosure agreement,
01:04
so I cannot disclose who is involved. But I can advise is the fact that when you add up what I was compensated,
01:12
plus the estimated legal fees for them to defend their position a simple database configuration that cost $1800 to resolve
01:22
wind up costing this business approximately $113,000.
01:27
You've probably heard the term due diligence.
01:30
Everyone loves to throw this one around.
01:33
There's just one problem.
01:34
It is only a fraction of the equation
01:38
when assessing a claim of negligence.
01:42
Now we're gonna be talking about this equation later in the session, actually on the next slide. But let's face it
01:48
would've business owners to actually care about
01:51
the bottom line.
01:52
And make no mistake, it lawsuit hits that bottom line.
01:56
What most board members know is the term duty of care,
02:00
and this is sometimes also referred to as the standard of care.
02:05
I will give you a couple of seconds to review this passage.
02:15
Now let's examine the four elements that can lead to a civil or even criminal case based on negligence
02:22
to the organization. Heavy duty to protect
02:24
a great example here is if you maintain, transmit
02:28
or receive credit card information.
02:30
Negligent
02:32
An example may include a utility company had not yet patched a year old vulnerability on a server
02:38
that resulted in an elderly homeowner freezing to death
02:43
because the power was shut off.
02:45
Damage
02:46
damages the cornerstone argument. But where so many prior cases before target have failed,
02:52
people have been launching civil cases against companies like Heartland TJ Maxx in others for years. Why do these cases keep getting thrown out of court?
03:02
Because the judges have ruled that a cardholder
03:06
who experiences fraud due to a breach
03:08
has been exposed to an inconvenience
03:13
and not necessarily harm.
03:15
And the reason why is because the banks reimburse their customers.
03:20
And finally, cause
03:23
is the basis of the negative action directly tied to the offending party
03:28
here.
03:29
Was there contributory negligence? What that means is okay, So, yes, you had your bank account
03:36
that got hacked.
03:38
But you were also looking at a pornographic website and were infected with malware.
03:42
So now you have contributed, albeit unintentionally,
03:46
to the act, resulting in fraud
03:49
against your own account. On the prior slide, I made reference to the term due diligence.
03:55
So what exactly is due diligence
03:59
in layman's terms?
04:00
What would be reasonable, imprudent person do under the same circumstances?
04:05
If you maintain, store or transmit credit card data,
04:11
should you do a penetration test?
04:14
A reasonable and prudent person? What? Because you want to make sure that you can protect
04:18
the data.
04:19
Now let's talk about do care.
04:21
The fact that he did Penn test doesn't mean that that's where it stops. You obviously have results from that examination.
04:30
Do you care?
04:31
Is a premise based on what do you do after the fact? So now that you found some weaknesses, what have you as a reasonable, imprudent person done
04:44
to be able to rectify the situation?
04:46
Now,
04:47
the fact that an organization did not take remediate of action does not necessarily mean that they're negligent.
04:56
However,
04:58
if that same organization does not properly document
05:01
the rationale as to why they did not remedy the situation and how that conclusion was based on risk bringing checkbook because when you go to court, you better have a lot of room for a number of zeros in that check.
05:15
So ultimately, what we're left with is the equation that due diligence plus vieux care actually equals the duty of care.
05:24
Okay, I get it. There's always gonna be a number of individuals
05:28
they were going to take the position of.
05:30
Well, if I don't do a penetration test, I won't know about where my weaknesses are. And if I don't know about it, then I can't be hold accountable for it. right.
05:41
Well, we're gonna explore these legal concepts and how they apply in recent court cases. And if you still feel that way after the end of the session,
05:49
more power to you. While there are many more cases than when I am highlighting that pertained to cases on cybersecurity breaches, I'm only focusing on these five examples
05:59
because they were highly publicized
06:01
or
06:02
noteworthy for this session.
06:04
The first case we will examine is the state of Maine's Public Utility Commission versus Verizon.
06:10
So here's essentially happened.
06:12
Verizon leases the lines from the state of Maine and has charged, I think back in 3 $67,000 a month or somewhere around that dollar value
06:23
some of you may recall back in the early two thousands
06:26
mass propagation of worms.
06:29
This is back in the days of Code Red and Nimda.
06:32
Well, in this particular instance, this is when the slammer worm was running wild.
06:39
The patch that was available to remedy the Microsoft for ability have been around for over a year.
06:46
Unfortunately for Verizon, they did not patch
06:49
and
06:50
their systems got crushed. As a result,
06:54
they were unable to use their infrastructure
06:57
so When the bill came in for $65,000
07:00
they fought it. When I went to arbitration,
07:03
the presiding judge was able to notice that
07:06
A. T and T
07:09
applied the patch
07:10
and they went unharmed.
07:12
M. C I telcom, apply the patch and they also
07:16
were unharmed.
07:17
So the presiding arbitrator basically took the position of saying So Let me get this straight. These guys apply the patch, they're safe,
07:26
you don't apply the patch
07:29
and somehow you still expect a favorable ruling. So by comparing 18 T and empty eye tooth horizon, this commission essentially leverage what is known as a neighbor policy. What would be reasonable, imprudent person do in the same line of business with the same scope and charter?
07:46
The presiding judge also went on to advise that these tacks are foreseeable
07:50
in preventable.
07:53
So much for sticking your head in the sand. This was a big first step because for the first time, the bench is essentially saying a private enterprise impacted by a cyber threat
08:03
had contributory negligence and therefore they had no claim of harm. In 2007 you may recall a class action lawsuit that was brought against TJ Maxx again because of a massive
08:16
that
08:18
this is one of the first cases seeking tens of millions of dollars and sanctions for a claim of negligence
08:24
estate in earlier slides. Because the banks did not file on Lee, the consumers
08:31
no tangible harm could be shown
08:33
only an inconvenience,
08:35
and as a result,
08:37
the case was thrown out. A similar event took place in 2009 with the Heartland Corporation
08:45
again, another cyber breach.
08:48
While the same disposition of not finding adequate grounds to show Herm was present,
08:54
there is interesting to note that just prior to this breach, hurt land actually passed a PC I audit with flying colors.
09:03
Now this is very important to know, because simply saying you are quote unquote compliant
09:11
does not negate a civil claim against your organization.
09:15
So in layman terms,
09:16
you don't have any safe harbor agreement just because you're compliant.
09:22
It may give you cover from the PC I Data Security Council, but it will not protect you against 47 state attorney generals
09:31
or protection from
09:33
private class action lawsuits.
09:35
Keeping a mind you can't really fault the PC I auditors. In this scenario, either
09:39
the auditors can only examine what is within the scope of the network that processes the credit card data
09:46
with Heartland.
09:48
The vector of attacks stem from preaching a week database configuration that apparently was connected to another database that was, in fact, within the scope of the PC I assessment.
10:01
So the auditor is not aware of that connective ity.
10:05
They can't really be held accountable for that gap in knowledge. Now, in 2013
10:11
we have target. Not sure if you're aware of this or not. But
10:16
from the time that this breach was made public in just 10 calendar days, Target stock dropped from around $63 a share
10:24
2 $50 this year.
10:26
And unlike TJ Maxx and Heartland, in this case that banks actually did file suit against Target, it survived basically the first reviews by the court,
10:37
and it's ultimately up the value. The claim
10:39
and Target settled this case with publicly farming with publicly disclosed expenses in the range of over $250 million
10:50
and as a refresher again, target was also PC I compliant.
10:56
How did they get breached?
10:58
1/3 party, Business Associates network that managed their H back on the refrigerators and freezers and the target stores
11:05
was compromised.
11:07
So by being able to compromise a business associate, they re able to successfully penetrate
11:13
Target's network
11:15
and obtained a credit card details
11:18
and finally, in 2014
11:20
Home Depot.
11:22
The key finding to note in this case is that while harm to consumers was highly questionable,
11:28
they're a violation of numerous date disclosure laws was, in fact self evident.
11:33
This resulted in a settlement of over $19 million.

Up Next

Corporate Cybersecurity Management

Cyber risk, legal considerations and insurance are often overlooked by businesses and this sets them up for major financial devastation should an incident occur.

Instructed By

Instructor Profile Image
Carter Schoenberg
Executive VP of IPKeys Power Partners
Instructor