Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lost in Cyberspace? Best Practices for Maintaining Security on the Internet and in the Cloud.

Similar presentations


Presentation on theme: "Lost in Cyberspace? Best Practices for Maintaining Security on the Internet and in the Cloud."— Presentation transcript:

1 Lost in Cyberspace? Best Practices for Maintaining Security on the Internet and in the Cloud

2 Lost in Cyberspace? Preventing, monitoring, and responding to breaches of security and cyber attacks Preventing, monitoring, and responding to breaches of security and cyber attacks Reducing liability for compromises to third party data Reducing liability for compromises to third party data Special risks posed by social media and mobile devices Special risks posed by social media and mobile devices Best practices Best practices –Physical security –Contractual agreements –Policies and procedures Damage control Damage control –Insurance –Reporting obligations –Accounting and valuation consequences –Litigation options

3 The in-house perspective Handles regulatory and compliance issues Handles regulatory and compliance issues Responsible for public sector/government contracting issues Responsible for public sector/government contracting issues Significant experience with internal and government investigations Significant experience with internal and government investigations Roberto Facundus Global Compliance Attorney salesforce.com, Inc.

4 The auditors perspective Certified Information Systems Auditor Certified Information Systems Auditor Extensive experience with IT security and privacy assessments, audits, and compliance Extensive experience with IT security and privacy assessments, audits, and compliance Frequent speaker and author on risks associated with cloud computing Frequent speaker and author on risks associated with cloud computing Member of Grant Thornton Cyber Security Committee Member of Grant Thornton Cyber Security Committee Orus Dearman, CISA Director, Advisory Services Grant Thornton LLP

5 The litigators perspective Litigated cutting edge issues including computer crimes and trade secret matters for past 28 years (22 in Richmond) Litigated cutting edge issues including computer crimes and trade secret matters for past 28 years (22 in Richmond) Member of Privacy, Security & Information Management and Trade Secret Noncompete Practice Groups Member of Privacy, Security & Information Management and Trade Secret Noncompete Practice Groups Chair of Foley D.C. office Litigation Department Chair of Foley D.C. office Litigation Department Michael J. Lockerby Partner Foley & Lardner LLP

6 The in-house perspective Detecting cyberattacks Detecting cyberattacks Facilities security Facilities security Worldwide securities certifications Worldwide securities certifications Best practices Best practices User awareness training User awareness training

7 What is Cloud Computing? Traditional On- premise Traditional On- premise –Servers & Datacenters –Engineers –Energy Costs –Pay for disruptive upgrades –Not elastic Cloud On-demand Cloud On-demand –Cloud company maintains IT infrastructure & costs –Upgrades included –Pay by subscription –Scales with you

8 Phishing

9 Phishing/Malware

10 Malware attack

11

12 Maximum Facilities Security 24/7/365 on-site security 24/7/365 on-site security All doors, including cages, are secured through a combination of biometrics and/or proximity card readers All doors, including cages, are secured through a combination of biometrics and/or proximity card readers Multiple security challenges required to reach Salesforce environment Multiple security challenges required to reach Salesforce environment Low profile fully anonymous exteriors Low profile fully anonymous exteriors Digital camera (CCTV) coverage of entire facility Digital camera (CCTV) coverage of entire facility Perimeter bounded by concrete bollards/planters Perimeter bounded by concrete bollards/planters A silent alarm and automatic notification of appropriate law enforcement officials protect all exterior entrances A silent alarm and automatic notification of appropriate law enforcement officials protect all exterior entrances CCTV integrated with access control and alarm system CCTV integrated with access control and alarm system Motion-detection for lighting and CCTV coverage Motion-detection for lighting and CCTV coverage

13 ISO SSAE 16 (SOC 1, 2, and 3) GSA Authority to Operate PCI JIPDC (Japan Privacy Seal) Tuv (Germany Privacy Mark) SysTrust TRUSTe Worldwide Security Certifications

14 Trust & Transparency Success is built on trust. And trust starts with transparency. Success is built on trust. And trust starts with transparency. Real-time information on system performance and security Real-time information on system performance and security Live and historical data on system performance Live and historical data on system performance Up-to-the minute information on planned maintenance Up-to-the minute information on planned maintenance Updates on phishing, malware, and social engineering threats Updates on phishing, malware, and social engineering threats

15 User Awareness Training New Hire Training New Hire Training –All employees and contractors –Summary of security obligations Annual Training Class Annual Training Class –All employees and contractors –Must take a test and pass Newsletters Newsletters –Monthly publication to everyone –Covers relevant and timely security topics

16 Best Practices Implement IP Restrictions Implement IP Restrictions Consider Two-Factor Authentication Consider Two-Factor Authentication Secure Employee Systems Secure Employee Systems –Use malware/spyware utilities Strengthen Password Policies Strengthen Password Policies Require Secure Sessions (https://) Require Secure Sessions (https://) Decrease Session Timeout Thresholds Decrease Session Timeout Thresholds Identify a Primary Security Contact Identify a Primary Security Contact

17 The auditors perspective Overview of cloud computing Overview of cloud computing –Principal characteristics –Types and models –Why management is buzzing about this trend Risks of cloud computing Risks of cloud computing Responding to a security breach Responding to a security breach

18 Principal characteristics Network enabled Abstraction of infrastructure Resource democratization Services oriented architecture Elasticity and dynamism of resources Utility model of consumption and allocation © Grant Thornton. All rights reserved.

19 Types and models Types of Clouds Public - Shared computer resources provided by an off-site third-party provider Private - Dedicated computer resources provided by an off-site third party or use of cloud technologies on a private internal network Hybrid - Consisting of multiple public and private clouds Models of Cloud Software as a Service (SaaS) - Software applications delivered over the Internet Platform as a Service (PaaS) - Full or partial operating system/development environment delivered over the Internet Infrastructure as a Service (IaaS) - Computer infrastructure delivered over the Internet Desktop as a Service (DaaS) - Virtualization of desktop systems serving thin clients, delivered over the Internet or a private Cloud © Grant Thornton. All rights reserved.

20 Why management is buzzing about this trend Cloud computing is the future of IT Cloud computing is the future of IT A new and flexible model for deploying technologyA new and flexible model for deploying technology Extremely reliable and infinitely scalableExtremely reliable and infinitely scalable Cost benefits and ease of ownershipCost benefits and ease of ownership Allows organizations to expand or contract as needs dictateAllows organizations to expand or contract as needs dictate Pay for only what you need at any given timePay for only what you need at any given time © Grant Thornton. All rights reserved.

21 Potential risks What are the physical components of the Clouds? What are the physical components of the Clouds? –Data Centers: self-hosted, third-party, both, etc.? –Network circuits and firewalls: whos managing, whos watching, etc.? –Disaster preparedness and recoverability: is there a plan, is it tested, etc.? –Who is aware of and managing vendor SLAs and are they adequate? © Grant Thornton. All rights reserved.

22 Potential risks (continued) Where is the data and how is it protected? Where is the data and how is it protected? –In-flight, standing still / at-rest, etc.? –Archives and back-up? –Unintended uses? –Data privacy and compliance? What is the tone at the top? What is the tone at the top? –Stakeholder knowledge of attributes and risks –Have internal controls evolved effectively? –Who is monitoring internal use of public cloud services? © Grant Thornton. All rights reserved.

23 Six additional risk areas SecuritySecurity Multi-tenancyMulti-tenancy Data locationData location ReliabilityReliability SustainabilitySustainability ScalabilityScalability © Grant Thornton. All rights reserved.

24 Security risks The cloud providers security policies are not as strong as the organizations data security requirementsThe cloud providers security policies are not as strong as the organizations data security requirements Cloud systems which store organization data are not updated or patched when necessaryCloud systems which store organization data are not updated or patched when necessary Security vulnerability assessments or penetration tests are not performed to ensure logical and physical security controls are in placeSecurity vulnerability assessments or penetration tests are not performed to ensure logical and physical security controls are in place The physical location of organization data is not properly securedThe physical location of organization data is not properly secured © Grant Thornton. All rights reserved.

25 Multi-tenancy risks Organization data is not appropriately segregated on shared hardware resulting in organization data being inappropriately accessed by third partiesOrganization data is not appropriately segregated on shared hardware resulting in organization data being inappropriately accessed by third parties The cloud service provider has not deployed appropriate levels of encryption to ensure data is appropriately segregated both in rest and transitThe cloud service provider has not deployed appropriate levels of encryption to ensure data is appropriately segregated both in rest and transit The cloud service provider cannot determine the specific location of the organizations data on its systemsThe cloud service provider cannot determine the specific location of the organizations data on its systems Organization data resides on shared server space which might conflict with regulatory compliance requirements for the organizationOrganization data resides on shared server space which might conflict with regulatory compliance requirements for the organization © Grant Thornton. All rights reserved.

26 Data location risks The organization is not aware of all of the cloud service providers physical location(s)The organization is not aware of all of the cloud service providers physical location(s) The organization does not know where their data is physically or virtually storedThe organization does not know where their data is physically or virtually stored The Cloud service provider moves organization data to another location without informing the organizationThe Cloud service provider moves organization data to another location without informing the organization Organization data is stored in international locations and falls under foreign business or national laws/regulationsOrganization data is stored in international locations and falls under foreign business or national laws/regulations © Grant Thornton. All rights reserved.

27 Reliability risks The cloud service provider has quality of service standards which conflict with operational requirementsThe cloud service provider has quality of service standards which conflict with operational requirements During peak system activity times, the cloud service provider experiences system performance issues that result in the following:During peak system activity times, the cloud service provider experiences system performance issues that result in the following: organization employees cannot access the organizations data when needed organization employees cannot access the organizations data when needed Customers are unable to use the organizations systems (such as placing an order on the organizations web site) because of performance problems with the cloud provider Customers are unable to use the organizations systems (such as placing an order on the organizations web site) because of performance problems with the cloud provider © Grant Thornton. All rights reserved.

28 Sustainability risks In the event the cloud service provider goes out of business, the organization might not be able to retrieve the organizations data. In addition, another third party might gain access/control of the organizations dataIn the event the cloud service provider goes out of business, the organization might not be able to retrieve the organizations data. In addition, another third party might gain access/control of the organizations data The cloud service provider does not have appropriate system recovery procedures in place in the event of a disasterThe cloud service provider does not have appropriate system recovery procedures in place in the event of a disaster The organizations business continuity plan does not address the clouds service offering being unavailableThe organizations business continuity plan does not address the clouds service offering being unavailable Organization data is compromised as a result of a disasterOrganization data is compromised as a result of a disaster © Grant Thornton. All rights reserved.

29 Scalability risks The cloud service providers systems cannot scale to meet the organizations anticipated growth, both for a short-term spike and/or to meet a long-term strategyThe cloud service providers systems cannot scale to meet the organizations anticipated growth, both for a short-term spike and/or to meet a long-term strategy If the organization decides to migrate all or part of the organizations system and/or data back in-house (or to another provider), the cloud service provider cannot (or will not) provide the dataIf the organization decides to migrate all or part of the organizations system and/or data back in-house (or to another provider), the cloud service provider cannot (or will not) provide the data © Grant Thornton. All rights reserved.

30 Responding to a breach 2011 data breach statistics 2011 data breach statistics Breaches are costly Breaches are costly Prevention Prevention Incident response Incident response Post incident activity Post incident activity © Grant Thornton. All rights reserved.

31 2011 data breach statistics Of 855 security breach incident investigations: Of 855 security breach incident investigations: –98% stemmed from external agents –81% utilized some form of hacking –69% incorporated malware –85% took a week or more to discover (92% by a third party) –97% were preventable through intermediate controls Source: Verizon RISK Team 2012 Data Breach Investigations Report © Grant Thornton. All rights reserved.

32 Breaches are costly 6M per event or $197 per record (Ponemon Institute) 6M per event or $197 per record (Ponemon Institute) TJX TJX –47M+ card numbers stolen, $200M+ in costs Hannaford Brothers and Sweetbay Hannaford Brothers and Sweetbay –4.2M card numbers stolen, 1,800 cases of fraud ABN Amro ABN Amro –2 million customer records "lost in mail" (DHL) DuPont DuPont –$400M in trade secrets breached by inside © Grant Thornton. All rights reserved.

33 Prevention Best Practices: Best Practices: –Establish a data security policy and promote organizational awareness –Implement appropriate management, operational, and technical security controls –Collect the minimum amount of personal information necessary to perform a job –Adhere to local and federal data disposal laws © Grant Thornton. All rights reserved.

34 Incident response Prioritize: Consider the Prioritize: Consider the functional/information impact functional/information impact and recoverability of the incident and recoverability of the incident Notify: Notify: –Determine response requirements based on state law for physical possession, copied, or utilization of personal information –Notify internal and external stakeholders including government agencies © Grant Thornton. All rights reserved.

35 Incident response (continued) Contain: Criteria for determining appropriate strategy Contain: Criteria for determining appropriate strategy –Need for evidence preservation –Service availability –Time and resource requirements –Duration of the solution (temporary vs. permanent) Source: NIST Special Publication Revision 2, August 2012 © Grant Thornton. All rights reserved.

36 Post incident activity Lessons Learned Lessons Learned –Incident reporting –Adherence to policies and procedures –Corrective and preventable actions –Symptoms and precursors for future monitoring –Additional tools or resources needed to detect, analyze, and mitigate future incidents Source: NIST Special Publication Revision 2, August 2012 © Grant Thornton. All rights reserved.

37 Resources The ABCs of Cloud Computing: A comprehensive cloud computing portal where agencies can get information on procurement, security, best practices, case studies and technical resources.(GSA / The ABCs of Cloud Computing: A comprehensive cloud computing portal where agencies can get information on procurement, security, best practices, case studies and technical resources.(GSA / Successful Case Studies: A report which details 30 illustrative cloud computing case studies at the Federal, state and local government levels.(CIO Council / FINALv3_508.pdf) Successful Case Studies: A report which details 30 illustrative cloud computing case studies at the Federal, state and local government levels.(CIO Council / FINALv3_508.pdf) Cloud Computing Definition: Includes essential characteristics as well as service and deployment models.(NIST / 145_cloud-definition.pdf ) Cloud Computing Definition: Includes essential characteristics as well as service and deployment models.(NIST / 145_cloud-definition.pdf ) Centralized Cloud Computing Assessment and Authorization: The Federal Risk and Authorization Management Program (FedRAMP) has been established to provide a standard, centralized approach to assessing and authorizing cloud computing services and products. FedRAMP will permit joint authorizations and continuous security monitoring services for government and commercial cloud computing systems intended for multi- agency use. It will enable the government to buy a cloud solution once, but use it many times.(CIO Council / Centralized Cloud Computing Assessment and Authorization: The Federal Risk and Authorization Management Program (FedRAMP) has been established to provide a standard, centralized approach to assessing and authorizing cloud computing services and products. FedRAMP will permit joint authorizations and continuous security monitoring services for government and commercial cloud computing systems intended for multi- agency use. It will enable the government to buy a cloud solution once, but use it many times.(CIO Council / © Grant Thornton. All rights reserved.

38 Resources (continued) Guidelines on Security and Privacy in Public Cloud Computing: This draft publication provides an overview of the security and privacy challenges pertinent to public cloud computing and points out considerations organizations should take when outsourcing data, applications, and infrastructure to a public cloud environment (NIST / _cloud-computing.pdf) Guidelines on Security and Privacy in Public Cloud Computing: This draft publication provides an overview of the security and privacy challenges pertinent to public cloud computing and points out considerations organizations should take when outsourcing data, applications, and infrastructure to a public cloud environment (NIST / _cloud-computing.pdf)http://csrc.nist.gov/publications/drafts/ /Draft-SP _cloud-computing.pdfhttp://csrc.nist.gov/publications/drafts/ /Draft-SP _cloud-computing.pdf Cloud Security Alliance: To promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing. (https://cloudsecurityalliance.org/) Cloud Security Alliance: To promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing. (https://cloudsecurityalliance.org/)https://cloudsecurityalliance.org/ CloudAudit - To provide a common interface and namespace that allows cloud computing providers to automate the Audit, Assertion, Assessment, and Assurance (A6) of their infrastructure (IaaS), platform (PaaS), and application (SaaS) environments. (http://cloudaudit.org/) CloudAudit - To provide a common interface and namespace that allows cloud computing providers to automate the Audit, Assertion, Assessment, and Assurance (A6) of their infrastructure (IaaS), platform (PaaS), and application (SaaS) environments. (http://cloudaudit.org/) © Grant Thornton. All rights reserved.

39 The litigators perspective Litigation: the nuclear option Litigation: the nuclear option Lessons learned in litigation Lessons learned in litigation When litigation is unavoidable When litigation is unavoidable

40 Litigation: the nuclear option Unavoidable under certain circumstances Unavoidable under certain circumstances Preliminary injunction may be only way to protect trade secrets Preliminary injunction may be only way to protect trade secrets If trade secrets are particularly sensitive, litigation may be bet the company case If trade secrets are particularly sensitive, litigation may be bet the company case

41 Lessons learned in litigation Physical and electronic security Physical and electronic security Contract provisions Contract provisions Marking Marking Exit interviews Exit interviews Computer forensics Computer forensics Use of the Internet Use of the Internet When litigation is unavoidable: When litigation is unavoidable: –Obtaining preliminary injunctive relief –Effective use of federal and state computer crimes laws

42 Physical and electronic security Locked or limited access Locked or limited access –Physically –Electronically Restrict to those with need to know Restrict to those with need to know Forensic examination Forensic examination

43 Contract provisions Employees and contractors Employees and contractors Prospective merger or joint venture partners Prospective merger or joint venture partners Suppliers Suppliers Dealers, distributors and franchisees Dealers, distributors and franchisees Covenant not to use, disclose, or copy Covenant not to use, disclose, or copy Right of audit and inspection Right of audit and inspection Consent to preliminary injunctive relief in court Consent to preliminary injunctive relief in court Choice of forum Choice of forum

44 Marking trade secrets Clearly identify confidential information Clearly identify confidential information Avoid over-designation Avoid over-designation Restrict copying (e.g., numbered paper copies, use of security paper, read only electronic copies) Restrict copying (e.g., numbered paper copies, use of security paper, read only electronic copies)

45 Maintaining confidentiality Exit interviews with departing employees and dealers, distributors, or franchisees Exit interviews with departing employees and dealers, distributors, or franchisees –Review policies and procedures –Obtain written certification of compliance

46 Trust, but verify Use computer forensic experts to monitor activity: Use computer forensic experts to monitor activity: –During employment and upon departure –During contract term and after termination or nonrenewal

47 Computer forensic experts Determine whether sensitive files were accessed, ed, downloaded, printed Determine whether sensitive files were accessed, ed, downloaded, printed Review history Review history Recover deleted files Recover deleted files Clone computer hard drives of departing employees Clone computer hard drives of departing employees Ensure that employees have no reasonable expectation of privacy Ensure that employees have no reasonable expectation of privacy –Written policies and procedures –Periodic reminders –Informed consent to monitoring

48 Trade secrets on the Internet? Early view: Early view: –Once a trade secret is posted on the Internet, it is effectively part of the public domain, impossible to retrieve. RTC v. Lerma, 908 F. Supp. 1362, 1368 (E.D. Va. 1995) RTC v. Lerma, 908 F. Supp. 1362, 1368 (E.D. Va. 1995) RTC v. Netcom, 923 F. Supp (N.D. Cal. 1995) RTC v. Netcom, 923 F. Supp (N.D. Cal. 1995) Later view: Later view: –Not lost if publication sufficiently obscure or transient or otherwise limited so that it does not become generally known to … potential competitors DVD Copy Control Assn v. Bunner, 10 Cal. Rptr. 3d 185 (Ct. App. 2004)

49 Trade secrets on the Internet? Key circumstances: Key circumstances: –How long was it posted? –How promptly did the owner act? –Who saw it? –How accessible and popular are the site? –Where does it show up in response to search engine queries? –How much was disclosed?

50 Preliminary injunctive relief Warranted in cases of actual or threatened use of trade secrets Warranted in cases of actual or threatened use of trade secrets If trade secrets not yet disclosed or used, may be only remedy If trade secrets not yet disclosed or used, may be only remedy Prohibitory injunction Prohibitory injunction Mandatory injunction: return of embodiments, Mandatory injunction: return of embodiments, assignment of patents

51 Preliminary injunctive relief Primary purpose to preserve status quo Primary purpose to preserve status quo –last, actual peaceable uncontested status –last, actual peaceable uncontested status Is status quo that trade secrets already on the Internet or otherwise gone? Is status quo that trade secrets already on the Internet or otherwise gone? Computer crimes laws require no showing of trade secret protection Computer crimes laws require no showing of trade secret protection Effect of contractual arbitration provision Effect of contractual arbitration provision –What if no carve-out for preliminary injunctive relief? –Authority that federal courts can preserve status quo pending arbitration –Still good law now that most ADR rules authorize preliminary injunctive relief?

52 Ex parte seizure Federal IP law Federal IP law –Lanham Act permits ex parte seizure of counterfeit goods 15 U.S.C. § 1116(d) –Copyright Act permits temporary injunctive relief, impoundment (17 U.S.C. §§ 502, 503) Trade secret law Trade secret law –No federal private right of action –Fed. R. Civ. P. 64 preserves state law seizure remedies (state replevin statutes) –UTSA, Restatement expressly authorize mandatory injunctions

53 Practice pointers Seek expedited trial and preliminary injunction preserving status quo Seek expedited trial and preliminary injunction preserving status quo –Federal Rule 26(d): expedited discovery –Federal Rule 65(a)(2): consolidated preliminary injunction hearing, trial on merits Submit proposed order with findings and conclusions Submit proposed order with findings and conclusions –set forth the reasons for its issuance –be specific in terms –describe in reasonable detail … the act or acts to be restrained Federal Rule 65(d)

54 Practice pointers Make injunction binding by service on other persons…in active concert or participation with the parties and their officers, agents, servants, employees, and attorneys Make injunction binding by service on other persons…in active concert or participation with the parties and their officers, agents, servants, employees, and attorneys –Federal Rule 65(d)(2)

55 Practice pointers Courts have considerable discretion whether to award injunctive relief and how to fashion it Courts have considerable discretion whether to award injunctive relief and how to fashion it May win or lose on intangible factors: credibility and reasonableness of witnesses, parties, counsel May win or lose on intangible factors: credibility and reasonableness of witnesses, parties, counsel

56 Federal computer crimes laws Electronic Communications Privacy Act (ECPA) Electronic Communications Privacy Act (ECPA) –Wiretap Act prohibits interception of communications –Stored Communications Act prohibits dissemination or review Computer Fraud & Abuse Act (CFAA) Computer Fraud & Abuse Act (CFAA)

57 Computer Fraud & Abuse Act Prohibits intentional access to computer without authorization, or beyond the scope of any authority Prohibits intentional access to computer without authorization, or beyond the scope of any authority Applied to employee who erased data on company laptop before resigning –Intl Airport Ctrs., LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006)

58 De-CFAA-nated? U.S. v. Nosal, 676 F.3d 854 (9th Cir. April 2012) – –CFAA provides no remedy against disloyal employees who retrieved confidential information via company user accounts and transferred it to competitor – –Because defendants were authorized to access the computer, access for an unauthorized purpose was not without authorization and did not exceed[] authorized access WEC Carolina Energy Solutions LLC v. Miller, 2012 U.S. App. LEXIS (4th Cir. July 26, 2012) –CFAA provides no remedy against former employee who, before resigning, downloaded employers proprietary information at behest of competitor –WEC policies prohibited using information without authorization or downloading to PC but did not restrict Millers authorization to access the information

59 Fourth Circuits rationale CFAA allows for criminal prosecution –But the Copyright Act also criminalizes copying by unlicensed users and licensees exceeding scope of their authorization Other means to reign in rogue employees, e.g., trade secret law –But trade secret protection may have been destroyed

60 Damages for CFAA violations Must be > $5,000 Must be > $5,000 –any reasonable cost to any victim Can include cost of computer forensic expert Can include cost of computer forensic expert –cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense Some courts require interruption of service Some courts require interruption of service Statutory provision: Statutory provision: –any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service

61 State computer crimes laws Prohibit use of computers without authority Prohibit use of computers without authority Typical remedies: Typical remedies: –Sealing the record –Injunctive relief –Costs and attorneys fees Can combine with common law claim for trespass to chattels Can combine with common law claim for trespass to chattels Hacker reconstructed and sold competitors customer list Hacker reconstructed and sold competitors customer list Record sealed under Virginia computer crimes statute Record sealed under Virginia computer crimes statute Ex parte TRO and preliminary injunction Ex parte TRO and preliminary injunction –UPS, Inc. v. Matuszek, Case No. 1:97-cv (E.D. Va. 1997)

62 State computer crimes laws Former dealer accessed dealers only site, ordered to pay attorneys fees + cost of having forensic expert image and analyze computers Former dealer accessed dealers only site, ordered to pay attorneys fees + cost of having forensic expert image and analyze computers –NACCO Materials Handling Group, Inc. v. The Lilly Co., --- F.R.D. ----, 2011 U.S. Dist. LEXIS , 2011 WL (W.D.Tenn. Nov. 16, 2011) Licensee hired consultant to work around and avoid paying for undisclosed authorization key to relocate software Licensee hired consultant to work around and avoid paying for undisclosed authorization key to relocate software Failure to disclose actionable under CFAA and Connecticut statute Failure to disclose actionable under CFAA and Connecticut statute –Roller Bearing Co. of America, Inc. v. American Software, Inc., Case No. 3:07-cv (D. Conn.)

63 Questions and answers

64 Contact information Roberto Facundus Global Compliance Attorney salesforce.com® [Address] Cell:

65 Contact information Orus Dearman, CISA Director, Advisory Services Grant Thornton LLP 2070 Chain Bridge Rd Vienna, Virginia Direct: Cell:

66 Contact information Michael J. Lockerby Foley & Lardner LLP Washington Harbour 3000 K Street, N.W. Washington, D.C Direct: Cell:


Download ppt "Lost in Cyberspace? Best Practices for Maintaining Security on the Internet and in the Cloud."

Similar presentations


Ads by Google