Send the link below via email or IMCopy
Present to your audienceStart remote presentation
- Invited audience members will follow you as you navigate and present
- People invited to a presentation do not need a Prezi account
- This link expires 10 minutes after you close the presentation
- A maximum of 30 users can follow your presentation
- Learn more about this feature in our knowledge base article
Do you really want to delete this prezi?
Neither you, nor the coeditors you shared it with will be able to recover it again.
Make your likes visible on Facebook?
You can change this under Settings & Account at any time.
Legal Aspects of Information Security
Transcript of Legal Aspects of Information Security
Legal impact on information security
“Information and the technology used to access, utilize, store, and transfer it have become the primary drivers of value and wealth creation in today's global digital economy.... Failure to protect these valuable information assets can result in devastating consequences, including major financial losses and legal liability”
(CGI Group, 2004)
Infosec implementation in EU MS
CoE Cybercrime convention (2001)
European Network and Information Security Agency (ENISA) 2004
European Commission Communication on Network and Information Security: Proposal for A European Policy Approach, COM (2001) 298 final (June 6, 2001)
European Commission Communication, i2010 – A European Information Society for growth and employment, COM (2005) 229 final (June 1, 2005)
European Commission Communication, A strategy for a Secure Information Society – “Dialogue, partnership and empowerment,” COM (2006) 251 final (May 31, 2006)
European Commission Communication on Critical Information Infrastructure Protection – “Protecting Europe from large scale cyber-attacks and disruptions: enhancing preparedness, security and resilience”, COM (2009) 149 final (Mar. 30, 2009)
European Commission Proposal for a Directive of the European Parliament and of the Council on attacks against information systems and repealing Council Framework
Decision 2005/222/JHA, COM (2010) 517 final (Sept. 30, 2010)
Digital Agenda for Europe 2010-2020
CERT for EU institutions and Member States
Imperfection of technology and the misalignment between risk and risk mitigation capability
Reactive nature of law - it trail behind technological innovations (sometimes its too late and too costly)
Language of the law (meaning of concepts blurred when applied to new technology)
*should legislation be technologically neutral?
Jurisdictional issues (double criminality, eg
Love bug case
Difficulty in enforcement due to the borderless nature of the Internet
Difficulty in detecting breach in some cases
Umbrella for other measures
conducive atmosphere - backing up organizational and self-regulation enforcements
*organizational (professional rules, certification, accreditation, standardization: ISO 27001)
*self regulation (Safe Harbor, Binding Corporate Rules)
Standards usually represent industrial practice
Voluntary standards and guidelines as developed by ISO or non-regulatory agencies (NIST, ENISA) are not “mandatory regulations.”
Compliance with such standards and guidelines therefore constitutes no defense against a product liability claim/information security breach (ISO 27000 series)
Intersection of law and information security standards
- physical facility and device security control, data/hardware destruction
- technical access control; intrusion detection procedure, backups, audit/log trails, encryption, etc
- Employee training and education, contractual obligation, etc
What are appropriate technical
Specific safeguards v. Reasonable safeguards
How is obligation framed?
Network and information security –
“the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted data and the related services offered by or accessible via these networks and systems.”
(Regulation 460/2004, art. 4(c))
What is information security?
Sources of Obligation
Statutes/ Regulation/ Directives
Data Protection/Privacy laws
e-Signature Directive, E-commerce Directive
Employment law, Consumer Protection law, Intellectual Property law
Corporate Governance legislations
Official secret law, Criminal law, etc
Tort of Negligence
United Nations Convention on the Use of Electronic Communications in International Contracts (Art. 9)
Council of Europe Convention on Cybercrime
Case law/ Rule of Evidence
Lorraine v. Markel
(Evidence rejected for lack of authentication)
Payment Card Industry Data Security Standards, EV SSL Guidelines for certification
EC Model Contractual Clauses for International Data Transfer
Deceptive trade practice – s. 5 FTC Act
Should there be an obligation to secure information and information systems?
Statutes of Anne (1710)
Should information assets enjoy legal protection?
EU Developments on information security
Develop and implement standards and procedures to prevent and detect criminal conduct
Assign responsibility and ensure adequate resources at all levels, and authority for the program
Perform personnel screening as applicable (in accordance with laws, regulations, and labor union requirements) and as related to program goals and the responsibilities of the staff involved
Ensure adequate and effective awareness and training at all levels of the organization
Ensure auditing, monitoring, and evaluating activities occur to verify program effectiveness
Implement internal reporting systems that ensure non-retaliatory reaction
Provide incentives and enforce discipline to promote compliance
Consistently take reasonable steps to respond to violations and prevent similar violations from occurring – (show how complaints are handled)
Documentation of activities
Punitive measure (criminalization of activities that breach information security)
Rapidshare, Mega upload cases,
Data breach notice and remedial measures
Award of compensation/fines
ICO fine against Sony for data breach
Expansion of duty via case law
Bell v. Michigan Council
Court held that “defendant did owe plaintiffs a duty to protect them from identity theft by providing some safeguards to ensure the security of their most essential confidential identifying information.”
Guin v. Brazos Education
Court acknowledged that in some negligence cases, a duty of care may be established by statute (in that case, the GLB Act).
Wolfe v. MBNA America Bank
Court found that where the injury is foreseeable and preventable, the “defendant has a duty to verify the authenticity and accuracy of a credit account application.
Art 17 DPD – Technical and organizational security measures
Privacy by design and security by design
Incorporation of infosec as part of corporate governance
Data Protection Impact Assessment (Draft DP Regulation)
Dissuading attacks against critical information infrastructure by penal sanctions
(Directive on attacks against info system (Directive 2013/40/EU),
Council of Europe Convention on Cybercrime)
European Convention on Human Rights
Data Protection Directive
- place responsibility on the data controller
I v. Finland
- Disclosure of HIV status
(ECHR, Application no. 20511/03)
In the EU
In the U.S.
Sarbanes-Oxley Act, responsibility lies with the CEO and the CFO.
In the financial industry, the Gramm-Leach-Bliley (“GLB”) places responsibility directly with the Board of Directors.
In the healthcare industry, the HIPAA security regulations require an identified security official to be responsibility for compliance.
Federal laws place the responsibility within each government agency on the head of such agency.
Who is responsible for organizational information security?
Mitigation measures must focus on responding to the threats identified in the risk assessment
Armed guards don’t protect against Internet access
Firewalls don’t protect against dishonest employees
Information security threats
Elements of the process
conducting periodic risk assessments
developing and implementing a responsive security program
employee training and education
monitoring and testing the program
continuous review and adjustment of the program
documentation of activities
monitoring third party service provider arrangements
imposition of contractual obligation
Risk and cost of implementation
(Art. 17 DPD)
Size of organization and value of information
(FTC Safeguard Rules)
Article 17 (DPD)
1. Member States shall provide that the controller must implement
appropriate technical and organizational measures
to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.
Having regard to the state of the art and the cost of their implementation
, such measures shall
ensure a level of security appropriate to the risks
represented by the processing and the nature of the data
to be protected.
HIPAA Administrative Simplification
- Disadvantages of specific/explicit safeguards
FCC’s CPNI Regulations explicitly require telecommunications carriers to authenticate customers by using a password before granting them online access to customer proprietary network information.
COPPA Rule by the FTC in 1999 declares “secure web servers” and “firewalls” appropriate technical security measures to protect the security of children’s personal information
Nature of Obligation
To refrain from violating information security
e.g, attacks against information system (CFAA, DAIS,
United States v. Lloyd
Circumvention of TPM (DMCA, Infosoc Directive)
On Corporate bodies
A duty to provide reasonable security for their corporate data and information systems
A duty to disclose security breaches to those who may be adversely affected by such breaches (focused primarily on personal information)
Localization of data
A duty to provide security may come from several sources, each asserting jurisdiction over a different aspect of information.
Expanding information security duty in the wake of personal privacy recognition (Arts. 17 of the DPD)
Security obligations regarding specific data elements and control - HIPPA, Gramm-Leach-Bliley Act
The imposition of duty to notify breach (46 states US, e-privacy Directive, EU-DPR, Austria and Germany DPAs)
State oversight/audit assessment (Art. 4, e-privacy Directive as amended in Directive 2009/136/EC)
Proactive obligation to conduct a risk assessment (Art 33 EU-DPR)
International harmonization of data security standards (ISO/IEC 27001, PCI Standards, OECD Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security, 2002)
Shift in Public Attitude
It depends …….
Espionage by other states (official secret)
Trade secret enforcement
Subject of reasonable efforts by the rightful holder of the information to maintain its secrecy (Art. 39 TRIPS)
Purposes of Evidence
American Express v. Vinhnee
It has to be established “what has, or may have, happened to the record in the interval between when it was placed in the files and the time of trial … one must demonstrate that the record that has been retrieved from the file, be it paper or electronic, is the same as the record that was originally placed into the file”
Dowling v. United States 473 U.S. 207 (1985)
Cf. Carpenter v. United States 467 U.S. 986 (1984)
“He who receives an idea from me, receives instructions himself without lessening mine
as he who lights his taper at mine, receives light without darkening me. That ideas should be spread from one to another over the globe, for the moral and mutual instruction of man, and improvement of his condition, seems to have been peculiarly and benevolently designed by nature...."
“If nature has made any one thing less susceptible than all others of exclusive property, it is the action of the thinking power called an idea, which an individual may exclusively possess as long as he keeps it to himself but the moment it is divulged, it forces itself into the possession of everyone ….”
Nature and content of information security measures
How to show compliance
Challenges in maintaining information security
EU Sources of Infosec. Obligations
Convention on Cybercrime (EU Member States)
European Convention on Human Rights (Art. 8)
Data Protection Directive (Art. 17)
Directive 2013/40/EU on attacks against information systems and replacing Council Framework Decision 2005/222/JHA.
E-Privacy Directive (Art. 4) (see amendment in Directive 2009/136/EC)
InfoSoc Directive (Art. 6)
Data Retention Directive (Art. 7) (No longer applicable)
E-signature Directive (see Art. 5(1) and annex II)
Sectoral Regulations, e.g, Art. 13a Directive 2009/140/EC - Better Regulation Directive (electronic communication sector); Medical Devices Directive; Telecoms Framework
Virus attacks (Trojan horse)
Failure of hardware
"Information security is a process, not a product"
A discretionary approach
The nature of the legal obligation is often poorly understood
By management charged with the security responsibility,
By the technical experts who must implement it,
By the lawyers who must ensure compliance
“means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide—
(A) integrity, which means guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity;
(B) confidentiality, which means preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information; and
(C) availability, which means ensuring timely and reliable access to and use of information.”
(FISMA 44 U.S.C. § 3541 (b)(1))
Criminal dispossession of property (protects the market value of information)
Falsification of documents/identity theft (protects information integrity)
Remedy for Trade Secret, Copyright violations (protects the market value of information)
Criminalisation of circumvention of IPR technical protective measures
Communication b/w patient and doctor (confidentiality)
Freedom of information (availability)
Data protection law
Information privacy (Confidentiality, integrity, availability….)
Intellectual Property Right
Is Information Property?
- Protection from what?
Defining the scope
What informational assets do we refer to?
- Digital information
- Non-digital information
What do we secure?
To look at legal trend in informational asset protection
To identify sources of information security law in the EU and beyond
To identify the intersection of law and information security standards
To identify challenges in showing compliance with information security obligations
ICO's Sony Entertainment fine
Tsunami in Japan
2015 Summer School (INSITU)
Leibniz University Hannover
Legal Aspects of Information Security
Iheanyi Samuel Nwankwo
Fairstar v Adkins  EWHC 2952 (TCC)
Some regulations are developing standards or incorporating existing ones
DPD did not refer to any standard
Proposed DPR Art. 39 refers to technical standards for certification mechanisms and data protection seals and marks
German Federal Data Protection Commission (ed.): Data Protection Module for the ITGrundschutz Catalogues, Berlin (2007), http://www.bsi.de/gshb/bausteindatenschutz/index.htm
(See Art 9 German Federal Data Protection Act and the Annex)
French CNIL Guide on Security of Personal Data
Belgium Data Protection Commission: Guidelines Relating to Information Security of Personal Data
: Information objects are abstract objects that needs to be processed to produce meaning;
Unlike material objects, is
and hence not subject to conditions of scarcity
by everyone without reducing the supply for other people
The natural desire of human beings to acquire information
and thus people should have a right to be free of coercive restrictions on their information-gathering and information-using behaviors.
of information (eg, on digital media) approaches zero as the number of users increases;
easy to disseminate
Difficult to enforce exclusive right
Non deteriorating character and cumulative effect
Nature of Information
A duty to provide information security may come from several sources, each asserting jurisdiction over a different aspect of information.
The Sony Entertainment case