Loading presentation...

Present Remotely

Send the link below via email or IM


Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.


Legal Aspects of Information Security

No description

Iheanyi Nwankwo

on 3 August 2015

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of Legal Aspects of Information Security

Challenges in maintaining information security

Legal impact on information security

Historical perspective

“Information and the technology used to access, utilize, store, and transfer it have become the primary drivers of value and wealth creation in today's global digital economy.... Failure to protect these valuable information assets can result in devastating consequences, including major financial losses and legal liability”

(CGI Group, 2004)

Infosec implementation in EU MS

CoE Cybercrime convention (2001)

European Network and Information Security Agency (ENISA) 2004

European Commission Communication on Network and Information Security: Proposal for A European Policy Approach, COM (2001) 298 final (June 6, 2001)

European Commission Communication, i2010 – A European Information Society for growth and employment, COM (2005) 229 final (June 1, 2005)

European Commission Communication, A strategy for a Secure Information Society – “Dialogue, partnership and empowerment,” COM (2006) 251 final (May 31, 2006)

European Commission Communication on Critical Information Infrastructure Protection – “Protecting Europe from large scale cyber-attacks and disruptions: enhancing preparedness, security and resilience”, COM (2009) 149 final (Mar. 30, 2009)

European Commission Proposal for a Directive of the European Parliament and of the Council on attacks against information systems and repealing Council Framework

Decision 2005/222/JHA, COM (2010) 517 final (Sept. 30, 2010)

Digital Agenda for Europe 2010-2020

CERT for EU institutions and Member States

Imperfection of technology and the misalignment between risk and risk mitigation capability

Reactive nature of law - it trail behind technological innovations (sometimes its too late and too costly)

Language of the law (meaning of concepts blurred when applied to new technology)
*should legislation be technologically neutral?

Jurisdictional issues (double criminality, eg
Love bug case

Difficulty in enforcement due to the borderless nature of the Internet

Human factor


Difficulty in detecting breach in some cases

Showing compliance

Umbrella for other measures
conducive atmosphere - backing up organizational and self-regulation enforcements

*organizational (professional rules, certification, accreditation, standardization: ISO 27001)
*self regulation (Safe Harbor, Binding Corporate Rules)

Integrative role

Standards usually represent industrial practice

Voluntary standards and guidelines as developed by ISO or non-regulatory agencies (NIST, ENISA) are not “mandatory regulations.”

Compliance with such standards and guidelines therefore constitutes no defense against a product liability claim/information security breach (ISO 27000 series)

Intersection of law and information security standards

- physical facility and device security control, data/hardware destruction

- technical access control; intrusion detection procedure, backups, audit/log trails, encryption, etc

- Employee training and education, contractual obligation, etc

Measures cont.




What threats?

What are appropriate technical
organizational measures?

Specific safeguards v. Reasonable safeguards

How is obligation framed?

Definition cont.

Network and information security –
“the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted data and the related services offered by or accessible via these networks and systems.”

(Regulation 460/2004, art. 4(c))

What is information security?

Sources of Obligation

Statutes/ Regulation/ Directives
Data Protection/Privacy laws
e-Signature Directive, E-commerce Directive
Employment law, Consumer Protection law, Intellectual Property law
Corporate Governance legislations
Official secret law, Criminal law, etc

Common law
Tort of Negligence

International law
United Nations Convention on the Use of Electronic Communications in International Contracts (Art. 9)
Council of Europe Convention on Cybercrime

Case law/ Rule of Evidence
Lorraine v. Markel
(Evidence rejected for lack of authentication)

Industrial Standards
Payment Card Industry Data Security Standards, EV SSL Guidelines for certification

Contractual Obligations
EC Model Contractual Clauses for International Data Transfer

Self Regulation (Privacy policy)
Deceptive trade practice – s. 5 FTC Act

Should there be an obligation to secure information and information systems?

Legal Reactions

Statutes of Anne (1710)

Should information assets enjoy legal protection?

Danke Schön


EU Developments on information security

Develop and implement standards and procedures to prevent and detect criminal conduct

Assign responsibility and ensure adequate resources at all levels, and authority for the program

Perform personnel screening as applicable (in accordance with laws, regulations, and labor union requirements) and as related to program goals and the responsibilities of the staff involved

Ensure adequate and effective awareness and training at all levels of the organization

Ensure auditing, monitoring, and evaluating activities occur to verify program effectiveness

Implement internal reporting systems that ensure non-retaliatory reaction

Provide incentives and enforce discipline to promote compliance

Consistently take reasonable steps to respond to violations and prevent similar violations from occurring – (show how complaints are handled)

Documentation of activities

Punitive measure (criminalization of activities that breach information security)

Rapidshare, Mega upload cases,

Data breach notice and remedial measures

Award of compensation/fines
ICO fine against Sony for data breach

Reactive role

Expansion of duty via case law

Bell v. Michigan Council
Court held that “defendant did owe plaintiffs a duty to protect them from identity theft by providing some safeguards to ensure the security of their most essential confidential identifying information.”

Guin v. Brazos Education
Court acknowledged that in some negligence cases, a duty of care may be established by statute (in that case, the GLB Act).

Wolfe v. MBNA America Bank
Court found that where the injury is foreseeable and preventable, the “defendant has a duty to verify the authenticity and accuracy of a credit account application.

Proactive role

Obligatory policy

Art 17 DPD – Technical and organizational security measures

Privacy by design and security by design

Incorporation of infosec as part of corporate governance

Data Protection Impact Assessment (Draft DP Regulation)

Dissuading attacks against critical information infrastructure by penal sanctions
(Directive on attacks against info system (Directive 2013/40/EU),
Council of Europe Convention on Cybercrime)

Proactive role

Reactive/Dissuasive role

Integrative role

European Convention on Human Rights
Data Protection Directive
- place responsibility on the data controller

I v. Finland
- Disclosure of HIV status
(ECHR, Application no. 20511/03)

In the EU

In the U.S.

Sarbanes-Oxley Act, responsibility lies with the CEO and the CFO.

In the financial industry, the Gramm-Leach-Bliley (“GLB”) places responsibility directly with the Board of Directors.

In the healthcare industry, the HIPAA security regulations require an identified security official to be responsibility for compliance.

Federal laws place the responsibility within each government agency on the head of such agency.

Who is responsible for organizational information security?

Mitigation measures must focus on responding to the threats identified in the risk assessment

Armed guards don’t protect against Internet access

Firewalls don’t protect against dishonest employees

What measures?

Information security threats
and mitigation

Elements of the process

conducting periodic risk assessments

developing and implementing a responsive security program

employee training and education

monitoring and testing the program

continuous review and adjustment of the program

documentation of activities

monitoring third party service provider arrangements

imposition of contractual obligation

Risk and cost of implementation
(Art. 17 DPD)

Size of organization and value of information
(FTC Safeguard Rules)

What criteria?

Reasonable/Appropriate Measures

Article 17 (DPD)

1. Member States shall provide that the controller must implement
appropriate technical and organizational measures
to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.

Having regard to the state of the art and the cost of their implementation
, such measures shall
ensure a level of security appropriate to the risks

represented by the processing and the nature of the data
to be protected.

Specific Requirements

HIPAA Administrative Simplification

- Disadvantages of specific/explicit safeguards

FCC’s CPNI Regulations explicitly require telecommunications carriers to authenticate customers by using a password before granting them online access to customer proprietary network information.

COPPA Rule by the FTC in 1999 declares “secure web servers” and “firewalls” appropriate technical security measures to protect the security of children’s personal information

Nature of Obligation

On individuals
To refrain from violating information security
e.g, attacks against information system (CFAA, DAIS,
United States v. Lloyd
Circumvention of TPM (DMCA, Infosoc Directive)

On Corporate bodies
A duty to provide reasonable security for their corporate data and information systems

A duty to disclose security breaches to those who may be adversely affected by such breaches (focused primarily on personal information)

Localization of data
Brazil, Russia

A duty to provide security may come from several sources, each asserting jurisdiction over a different aspect of information.

Take away

Expanding information security duty in the wake of personal privacy recognition (Arts. 17 of the DPD)

Security obligations regarding specific data elements and control - HIPPA, Gramm-Leach-Bliley Act

The imposition of duty to notify breach (46 states US, e-privacy Directive, EU-DPR, Austria and Germany DPAs)

State oversight/audit assessment (Art. 4, e-privacy Directive as amended in Directive 2009/136/EC)

Proactive obligation to conduct a risk assessment (Art 33 EU-DPR)

International harmonization of data security standards (ISO/IEC 27001, PCI Standards, OECD Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security, 2002)

Shift in Public Attitude

It depends …….

Espionage by other states (official secret)

Trade secret enforcement
Subject of reasonable efforts by the rightful holder of the information to maintain its secrecy (Art. 39 TRIPS)

Purposes of Evidence

American Express v. Vinhnee
It has to be established “what has, or may have, happened to the record in the interval between when it was placed in the files and the time of trial … one must demonstrate that the record that has been retrieved from the file, be it paper or electronic, is the same as the record that was originally placed into the file”

Dowling v. United States 473 U.S. 207 (1985)
Cf. Carpenter v. United States 467 U.S. 986 (1984)
Criminal law

Information Freedom

“He who receives an idea from me, receives instructions himself without lessening mine
as he who lights his taper at mine, receives light without darkening me. That ideas should be spread from one to another over the globe, for the moral and mutual instruction of man, and improvement of his condition, seems to have been peculiarly and benevolently designed by nature...."

Thomas Jefferson

Information Freedom

“If nature has made any one thing less susceptible than all others of exclusive property, it is the action of the thinking power called an idea, which an individual may exclusively possess as long as he keeps it to himself but the moment it is divulged, it forces itself into the possession of everyone ….”

Thomas Jefferson



Legal framework

Nature and content of information security measures

How to show compliance

Challenges in maintaining information security

EU Sources of Infosec. Obligations

Convention on Cybercrime (EU Member States)

European Convention on Human Rights (Art. 8)

Data Protection Directive (Art. 17)

Directive 2013/40/EU on attacks against information systems and replacing Council Framework Decision 2005/222/JHA.

E-Privacy Directive (Art. 4) (see amendment in Directive 2009/136/EC)

InfoSoc Directive (Art. 6)

Data Retention Directive (Art. 7) (No longer applicable)

E-signature Directive (see Art. 5(1) and annex II)

Sectoral Regulations, e.g, Art. 13a Directive 2009/140/EC - Better Regulation Directive (electronic communication sector); Medical Devices Directive; Telecoms Framework

DDoS attacks
Virus attacks (Trojan horse)
Failure of hardware

Technological threats

"Information security is a process, not a product"


A discretionary approach

The nature of the legal obligation is often poorly understood

By management charged with the security responsibility,

By the technical experts who must implement it,

By the lawyers who must ensure compliance

The Problem


Information security
“means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide—

(A) integrity, which means guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity;

(B) confidentiality, which means preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information; and

(C) availability, which means ensuring timely and reliable access to and use of information.”

(FISMA 44 U.S.C. § 3541 (b)(1))


Criminal law
Criminal dispossession of property (protects the market value of information)
Carpenter's case

Falsification of documents/identity theft (protects information integrity)

Civil law
Remedy for Trade Secret, Copyright violations (protects the market value of information)

Copyright law
Criminalisation of circumvention of IPR technical protective measures

Communication b/w patient and doctor (confidentiality)

Public law
Freedom of information (availability)

Data protection law
Information privacy (Confidentiality, integrity, availability….)

Intellectual Property Right

Is Information Property?

- Protection from what?

Human threats

Defining the scope

What informational assets do we refer to?

- Digital information

- Non-digital information

What do we secure?

- Data/information

- System/Network

To look at legal trend in informational asset protection

To identify sources of information security law in the EU and beyond

To identify the intersection of law and information security standards

To identify challenges in showing compliance with information security obligations


ICO's Sony Entertainment fine

Human threats

Tsunami in Japan

Physical/Environmental threats

2015 Summer School (INSITU)
Leibniz University Hannover

Legal Aspects of Information Security

Iheanyi Samuel Nwankwo

Civil law

Fairstar v Adkins [2012] EWHC 2952 (TCC)
Some regulations are developing standards or incorporating existing ones
e.g, HIPAA

DPD did not refer to any standard

Proposed DPR Art. 39 refers to technical standards for certification mechanisms and data protection seals and marks
German Federal Data Protection Commission (ed.): Data Protection Module for the ITGrundschutz Catalogues, Berlin (2007), http://www.bsi.de/gshb/bausteindatenschutz/index.htm
(See Art 9 German Federal Data Protection Act and the Annex)

French CNIL Guide on Security of Personal Data

Belgium Data Protection Commission: Guidelines Relating to Information Security of Personal Data

Abstract nature
: Information objects are abstract objects that needs to be processed to produce meaning;
intangible nature

Unlike material objects, is
and hence not subject to conditions of scarcity

Can be
simultaneously consumed
by everyone without reducing the supply for other people

The natural desire of human beings to acquire information
and thus people should have a right to be free of coercive restrictions on their information-gathering and information-using behaviors.

dissemination cost
of information (eg, on digital media) approaches zero as the number of users increases;
easy to disseminate

Difficult to enforce exclusive right

Non deteriorating character and cumulative effect
Nature of Information
Scope cont.
White paper
A duty to provide information security may come from several sources, each asserting jurisdiction over a different aspect of information.
The Sony Entertainment case
Full transcript