advertisement

webcast1

60 %
40 %
advertisement
Information about webcast1
Entertainment

Published on October 29, 2007

Author: Jolene

Source: authorstream.com

advertisement

Information Security Liability in Cyberspace: Emerging Legal Security Risks in Electronic Commerce Internet Webcast July 20, 2000:  Information Security Liability in Cyberspace: Emerging Legal Security Risks in Electronic Commerce Internet Webcast July 20, 2000 Sponsored by: The Legislation and Public Policy Working Group of The Partnership for Critical Infrastructure Security Disclaimer:  Disclaimer The legal analysis of any situation depends on a variety of factors that cannot be properly represented or accounted for in the information contained in this presentation or any other document available on ITAA’s Internet website. The subject matter discussed in this program is intended as general information only, and is not intended to serve as legal advice or as a substitute for legal counsel. If you have a question about a specific fact situation, you should contact an attorney directly. To find a qualified attorney, you can contact ITAA, search our website for associate member firms, or consult your local bar association. Faculty:  Faculty Doug Sabo – Vice President, InfoSec Programs, Information Technology Association of America (ITAA) Lino S. Lipinsky – Partner, McKenna & Cuneo, L.L.P. Alexander J. Brittin – Partner, McKenna & Cuneo, L.L.P. Overview:  Overview What is “The Partnership for Critical Infrastructure Security”? The Scope of the IT Security Liability Problem The Legal Background for Approaching IT Security Liability Issues Damages in the Information Security Context The Concept of Due Care Case Study: The E*Trade Litigation Security Risk Management as Part of Good Business Practices What is “The Partnership for Critical Infrastructure Security”? :  What is “The Partnership for Critical Infrastructure Security”? The Scope of the Information Technology Security Problem:  The Scope of the Information Technology Security Problem The 2000 Computer Crime and Security Survey (By the Computer Security Institute and the San Francisco FBI):  The 2000 Computer Crime and Security Survey (By the Computer Security Institute and the San Francisco FBI) 273 responses – Primarily large companies and government agencies surveyed 90% reported computer or security breaches 70% detected theft of proprietary information, financial fraud, system penetration, denial of service attacks, or sabotage of data 74% acknowledged financial losses due to breaches The 2000 Computer Crime and Security Survey (By the Computer Security Institute and the San Francisco FBI):  The 2000 Computer Crime and Security Survey (By the Computer Security Institute and the San Francisco FBI) Of the 273 corporations and government agencies responding – 61 identified sabotage of data or networks causing $27,148,000 in losses 66 reported $66,708,000 in losses resulting from theft of proprietary information 53 lost $55,996,000 due to financial fraud The 2000 Computer Crime and Security Survey (By the Computer Security Institute and the San Francisco FBI):  The 2000 Computer Crime and Security Survey (By the Computer Security Institute and the San Francisco FBI) Based on the responses from 643 computer security practitioners in corporations and government agencies – 25% detected system penetration 27% reported denial of service attacks 79% found employee abuse of Internet access privileges 85% found computer viruses The 2000 Computer Crime and Security Survey (By the Computer Security Institute and the San Francisco FBI):  The 2000 Computer Crime and Security Survey (By the Computer Security Institute and the San Francisco FBI) According to the 273 respondents – $265,589,940 of Total Losses Attributed to Breaches of IT Security in the Last Year http://www.gocsi.com The Legal Background for Approaching IT Security Liability Issues:  The Legal Background for Approaching IT Security Liability Issues Select Federal Statutes Establishing Liability & Private Right of Action:  Select Federal Statutes Establishing Liability & Private Right of Action 18 U.S.C. §§ 1030, et seq. – Computer Fraud and Abuse Act 18 U.S.C. §§ 2510, et seq. – Unauthorized interception, use, or disclosure of an electronic communication 18 U.S.C. §§ 2701, et seq. – Cyberspace Electronic Security Act Contract Law Theories:  Contract Law Theories Courts allow limited damages in contract cases (e.g., punitive damage awards unlikely in contract cases) Goal: Enforce contracts as written Apply agreed-upon limits on liability and damages Don’t “tortify” contracts Allow for certainty in commercial dealings But courts may allow a plaintiff to pursue claim for additional damages Uniform Computer Information Transactions Act (UCITA):  Uniform Computer Information Transactions Act (UCITA) Adopted in Virginia and Maryland in 2000 Introduced in Delaware, D.C., Hawaii, Illinois, New Jersey, and Oklahoma Enforces shrinkwrap licenses Allows for “self-help” remedies Allows use of contracts entered into by electronic agents Global Concerns:  Global Concerns The jurisprudence governing e-commerce is not limited to United States law Companies/Web Operators may find themselves subject to jurisdiction overseas through Internet business transactions Are choice of law and choice of forum clauses the solution? Or, are treaties needed? Liability and Emerging Trends:  Liability and Emerging Trends Denial of Service Liability Distributed denial of service attacks Third-Party Liability for Actions of Business Partners Breach of contract (actual/implied third party beneficiary) Statutory (HIPAA, Privacy Act, G-L-B) Statutorily Designating Personal Information as Property Currently, limited rights unless collected by government Once a property right, then conversion occurs if taken without authorization (in addition possible breach of contract/tort violations) Damages in the Information Security Context:  Damages in the Information Security Context Limits on Plaintiffs’ Remedies:  Limits on Plaintiffs’ Remedies The “Economic Loss” Rule/Doctrine No recovery allowed for purely economic loss, absent personal injury or property damage May substantially reduce damages to e-businesses resulting from security breaches due to lack of a “physical loss” Example – The Chicago Flood Litigation Is Damage to an IT System “Physical Injury”?:  Is Damage to an IT System “Physical Injury”? See Rockport Pharmacy, Inc. v. Digital Simplistics, Inc., 53 F.3d 195 (8th Cir. 1995) – Loss to data caused by failure of disk drives cannot give rise to tort claim because damage was limited to lost profits. But see American Guarantee & Liability Ins. Co. v. Ingram Micro, Inc., No. CIV 99-185 TUC ACM (D. Ariz. Apr. 19, 2000) – Loss of programming information and custom configurations as a result of power outage constitutes physical damage to property. The Concept of Due Care:  The Concept of Due Care The Principle of Due Care:  The Principle of Due Care General standard of professional care “Reasonable person” test Legal standards have yet to be fully developed in the information security context “Best practices” can turn into legal benchmarks If an organization or its agents fails to prevent a foreseeable potential harm – breach of its duty to avoid harm. “Information protection is an integral element of due care. Senior management is charged with two basic responsibilities: a duty of loyalty – this means that whatever decisions they make must be made in the best interest of the enterprise. They are also charged with a duty of care – this means that senior management is required to protect the assets of the enterprise and make informed business decisions. An effective information protection program will assist senior management in meeting these duties.” Thomas R. Peltier, Certified Information Systems Security Professional, Information Protection Fundamentals, Computer Security Institute (1998):  “Information protection is an integral element of due care. Senior management is charged with two basic responsibilities: a duty of loyalty – this means that whatever decisions they make must be made in the best interest of the enterprise. They are also charged with a duty of care – this means that senior management is required to protect the assets of the enterprise and make informed business decisions. An effective information protection program will assist senior management in meeting these duties.” Thomas R. Peltier, Certified Information Systems Security Professional, Information Protection Fundamentals, Computer Security Institute (1998) Defining a Standard of Due Care:  Defining a Standard of Due Care Sources of security principles: OECD’s Guidelines for the Security of Information Systems National Institute for Standards and Technology’s (NIST) Generally Accepted System Security Principles (“GSSPs”) British Standard 7799, Code of Practice for Information Security Management OECD’s Guidelines for the Security of Information Systems:  OECD’s Guidelines for the Security of Information Systems Accountability and Awareness of owners, providers and users Ethics, rights, and interests of others are protected Multidisciplinary, address all considerations and views Proportionality, security is appropriate in light of risk Integration, security actions are coordinated in organization Timeliness, promptly respond to security breaches Reassessment, security of info./sys. is periodically assessed Democracy, flow of data is compatible with democratic society NIST’s GSSPs:  NIST’s GSSPs Computer security: Supports the organization’s mission Integral element of sound management Cost effective Owners have security responsibilities outside their own organization Responsibilities and accountability should be made explicit Comprehensive and integrated approach Periodically reassessed Constrained by societal factors UK – BS7799 Code of Practice:  UK – BS7799 Code of Practice The BS7799 Standard has 10 major sections: Security policy Security organization Asset classification and control Personnel security Physical and environmental security Computer and network management System access control System development and maintenance Business continuity planning Compliance Case Study: The E*Trade Litigation :  Case Study: The E*Trade Litigation The E*Trade Litigation:  The E*Trade Litigation At least two cases based on alleged monetary losses caused by computer problems at E*Trade’s website While not directly arising from security breaches, could serve as a model for security-based litigation E*Trade’s trading page crashed 4x’s from February 2-5, 1999 Plaintiffs sought class action status Legal Theories Asserted Against E*Trade:  Legal Theories Asserted Against E*Trade Breach of contract Breach of fiduciary duty/unjust enrichment Fraud Unfair and deceptive trade practices Negligence/intentional tort Injunctive relief Rulings in E*Trade Case (Ohio):  Rulings in E*Trade Case (Ohio) The trial court refused to enforce the arbitration language contained in E*Trade’s form application The Ohio Court of Appeals held that the trial court should have decided whether the case would proceed as a class action before reaching the arbitrability issue Lessons from E*Trade Litigation: Language for User Agreements:  Lessons from E*Trade Litigation: Language for User Agreements Limit liability by addressing potential system crashes, hacking, and denials of service Can loss of service due to equipment or software malfunction be deemed an “Act of God”? Exclude liability due to intentional acts of third parties (cf. strikes, riots, insurrections, etc.) Example of “Force Majeure” Language:  Example of “Force Majeure” Language Broker shall not be liable for any loss or delay caused directly or indirectly by war, natural disaster, government restrictions, exchange or market rulings, suspension of trading, strikes, mail delays, telecommunications and data processing failures, equipment failures, or any other conditions, whether similar or dissimilar to the foregoing, beyond Broker’s control. Another Approach: Explicit Warning:  Another Approach: Explicit Warning …during periods of extraordinary volatility and volume, customers using online or automated trading services may experience delays in accessing their account due to high Internet traffic or systems capacity limitations. Similarly, customers may experience delays in reaching telephone representatives. Please be aware that market conditions, including stock and bond prices, may change during these periods. Broker offers multiple channels through which you may place orders or access information, including the Web, touch-tone phone, and telephone representatives… Security Risk Management as Part of Good Business Practices :  Security Risk Management as Part of Good Business Practices Security Risk Management:  Security Risk Management Develop internal risk management programs Consider insurance as an asset Business interruption coverage Property insurance policies (first-party and third-party) CGL policies “Cyberpolicies” Audits may be a prerequisite for coverage Use contractual provisions to attempt to limit liability Contact Information:  Contact Information Doug Sabo – ITAA dsabo@itaa.org – (703) 522-5055 – http://www.itaa.org Lino S. Lipinsky – McKenna & Cuneo, L.L.P. lino_lipinsky@mckennacuneo.com – (202) 496-7243 http://www.mckennacuneo.com Alexander J. Brittin – McKenna & Cuneo, L.L.P. alex_brittin@mckennacuneo.com – (202) 496-7726 http://www.PrivacySecurityNetwork.com Information Security Liability in Cyberspace: Emerging Legal Security Risks in Electronic Commerce Copyright 2000, Information Technology Association of America and McKenna & Cuneo LLP. All rights reserved.:  Information Security Liability in Cyberspace: Emerging Legal Security Risks in Electronic Commerce Copyright 2000, Information Technology Association of America and McKenna & Cuneo LLP. All rights reserved. You may print, reproduce, retrieve, or use the information and images contained in ITAA wep pages for non-commercial, informational, personal, or educational purposes only, provided you (1) do not modify such information and (2) include both this notice and any copyright notice originally included with such information. If this material is used for other purposes, you must obtain permission form ITAA or McKenna & Cuneo, LLP, to use the copyrighted material prior to its use.

Add a comment

Related presentations

Related pages

Webcast 1, Inc.

Webcast 1, Inc., Mansfield, Ohio. 89 likes · 2 were here. Thoughtwire Media is a digital marketing company that provides custom webdesign and innovative...
Read more

Rick Waters (@webcast1) | Twitter

The latest Tweets from Rick Waters (@webcast1). Rick is an online marketing innovator and SEO expert. Rick is an avid domainer and songwriter. Delray Beach ...
Read more

webcast1.com - WEBCAST1.COM - Whois - whois.de

TLD Country Domain Status; de: webcast1.de: free: biz: webcast1.biz: free: fr: webcast1.fr: free: nl: webcast1.nl: free: at: webcast1.at: free: be ...
Read more

www.Webcast1.com - Webcast1 | Site Information

www.Webcast1.com Information. The www.Webcast1.com domain, IP address, or hostname you have searched for is not active or we are unable to successfully ...
Read more

Doordarshan News Live webcast (1) - Webcast Services of ...

Webcast Services of National Informatics Centre, NIC, Department of Information Technology, Govt. of India
Read more

Webcast 1 - YouTube

iTunesU Webcast #1 ... This feature is not available right now. Please try again later.
Read more

TechniSat PowerLine Webcast 1 - Server

3 DE 1 TechniSat PowerLine Webcast 1 200 Mbit/s TechniSat PowerLine Webcast 1 200 Mbit/s ist die optimale Alternative zur Installation eines
Read more

www.webcast1.ccf.org - web cast 1 - website value

webcast1.ccf.org statistics and information. The perfect place to evaluate your site, website analyze, worth value for www.webcast1.ccf.org
Read more

baramundi Softwareverteilung Webcast - NetPlans IT ...

Die NetPlans Systemhausgruppe mit Sitz in Karlsruhe versteht sich als Full-Service-IT-Partner des Mittelstandes.
Read more