Presentation on theme: "Lost in Cyberspace? Preventing, monitoring, and responding to breaches of security and cyber attacks Reducing liability for compromises to third party."— Presentation transcript:
1 Lost in Cyberspace? Best Practices for Maintaining Security on the Internet and in the Cloud
2 Lost in Cyberspace?Preventing, monitoring, and responding to breaches of security and cyber attacksReducing liability for compromises to third party dataSpecial risks posed by social media and mobile devices“Best practices”Physical securityContractual agreementsPolicies and procedures“Damage control”InsuranceReporting obligationsAccounting and valuation consequencesLitigation options
3 The in-house perspective Handles regulatory and compliance issuesResponsible for public sector/government contracting issuesSignificant experience with internal and government investigationsRoberto FacundusGlobal Compliance Attorneysalesforce.com, Inc.
4 The auditor’s perspective Certified Information Systems AuditorExtensive experience with IT security and privacy assessments, audits, and complianceFrequent speaker and author on risks associated with cloud computingMember of Grant Thornton Cyber Security CommitteeOrus Dearman, CISADirector, Advisory ServicesGrant Thornton LLP
5 The litigator’s perspective Litigated cutting edge issues ─ including computer crimes and trade secret matters ─ for past 28 years (22 in Richmond)Member of Privacy, Security & Information Management and Trade Secret Noncompete Practice GroupsChair of Foley D.C. office Litigation DepartmentMichael J. LockerbyPartnerFoley & Lardner LLP
6 The in-house perspective Detecting cyberattacksFacilities securityWorldwide securities certificationsBest practicesUser awareness training
7 What is Cloud Computing? Traditional On-premiseServers & DatacentersEngineersEnergy CostsPay for disruptive upgradesNot elasticCloud On-demandCloud company maintains IT infrastructure & costsUpgrades includedPay by subscriptionScales with you
12 Maximum Facilities Security 24/7/365 on-site securityAll doors, including cages, are secured through a combination of biometrics and/or proximity card readersMultiple security challenges required to reach Salesforce environmentLow profile fully anonymous exteriorsDigital camera (CCTV) coverage of entire facilityPerimeter bounded by concrete bollards/plantersA silent alarm and automatic notification of appropriate law enforcement officials protect all exterior entrancesCCTV integrated with access control and alarm systemMotion-detection for lighting and CCTV coverage1212
13 Worldwide Security Certifications ISO 27001SSAE 16 (SOC 1, 2, and 3)GSA “Authority to Operate”PCIJIPDC (Japan Privacy Seal)Tuv (Germany Privacy Mark)SysTrustTRUSTe1313
14 Trust & TransparencySuccess is built on trust. And trust starts with transparency.Real-time information on system performance and securityLive and historical data on system performanceUp-to-the minute information on planned maintenanceUpdates on phishing, malware, and social engineering threats14
15 User Awareness Training New Hire TrainingAll employees and contractorsSummary of security obligationsAnnual Training ClassMust take a test and passNewslettersMonthly publication to everyoneCovers relevant and timely security topics
16 Best Practices Implement IP Restrictions Consider Two-Factor AuthenticationSecure Employee SystemsUse malware/spyware utilitiesStrengthen Password PoliciesRequire Secure Sessions (https://)Decrease Session Timeout ThresholdsIdentify a Primary Security Contact
17 The auditor’s perspective Overview of cloud computingPrincipal characteristicsTypes and modelsWhy management is buzzing about this trendRisks of cloud computingResponding to a security breach
39 The litigator’s perspective Litigation: the nuclear optionLessons learned in litigationWhen litigation is unavoidable
40 Litigation: the nuclear option Unavoidable under certain circumstancesPreliminary injunction may be only way to protect trade secretsIf trade secrets are particularly sensitive, litigation may be “bet the company” case
41 Lessons learned in litigation Physical and electronic securityContract provisionsMarkingExit interviewsComputer forensicsUse of the InternetWhen litigation is unavoidable:Obtaining preliminary injunctive reliefEffective use of federal and state computer crimes laws
42 Physical and electronic security Locked or limited accessPhysicallyElectronicallyRestrict to those with “need to know”Forensic examinationOEM’s use standard T&C.Use your bargaining power to bargain the warranties.
43 Contract provisions Employees and contractors Prospective merger or joint venture partnersSuppliersDealers, distributors and franchiseesCovenant not to use, disclose, or copyRight of audit and inspectionConsent to preliminary injunctive relief in courtChoice of forum
44 “Marking” trade secrets Clearly identify confidential informationAvoid over-designationRestrict copying (e.g., numbered paper copies, use of “security paper,” “read only” electronic copies)
45 Maintaining confidentiality Exit interviews with departing employees and dealers, distributors, or franchiseesReview policies and proceduresObtain written certification of compliance
46 Trust, but verify Use computer forensic experts to monitor activity: During employment and upon departureDuring contract term and after termination or nonrenewal
47 Computer forensic experts Determine whether sensitive files were accessed, ed, downloaded, printedReview historyRecover “deleted” files“Clone” computer hard drives of departing employeesEnsure that employees have no “reasonable expectation of privacy”Written policies and proceduresPeriodic remindersInformed consent to monitoring
48 Trade secrets on the Internet? Early view:“Once a trade secret is posted on the Internet, it is effectively part of the public domain, impossible to retrieve.”RTC v. Lerma, 908 F. Supp. 1362, 1368 (E.D. Va. 1995)RTC v. Netcom, 923 F. Supp (N.D. Cal. 1995)Later view:Not lost if publication “sufficiently obscure or transient or otherwise limited so that it does not become generally known to … potential competitors”DVD Copy Control Ass’n v. Bunner, 10 Cal. Rptr. 3d 185 (Ct. App. 2004)
49 Trade secrets on the Internet? Key circumstances:How long was it posted?How promptly did the owner act?Who saw it?How accessible and popular are the site?Where does it show up in response to search engine queries?How much was disclosed?
50 Preliminary injunctive relief Warranted in cases of actual or threatened use of trade secretsIf trade secrets not yet disclosed or used, may be only remedyProhibitory injunctionMandatory injunction: return of embodiments,assignment of patents
51 Preliminary injunctive relief Primary purpose to preserve “status quo”“last, actual peaceable uncontested status ”Is “status quo” that trade secrets already on the Internet or otherwise gone?Computer crimes laws require no showing of trade secret protectionEffect of contractual arbitration provisionWhat if no “carve-out” for preliminary injunctive relief?Authority that federal courts can preserve status quo pending arbitrationStill good law now that most ADR rules authorize preliminary injunctive relief?
52 Ex parte seizure Federal IP law Trade secret law Lanham Act permits ex parte seizure of counterfeit goods U.S.C. § 1116(d)Copyright Act permits temporary injunctive relief, impoundment (17 U.S.C. §§ 502, 503)Trade secret lawNo federal private right of actionFed. R. Civ. P. 64 preserves state law seizure remedies (state replevin statutes)UTSA, Restatement expressly authorize mandatory injunctions
53 Practice pointersSeek expedited trial and preliminary injunction preserving status quoFederal Rule 26(d): expedited discoveryFederal Rule 65(a)(2): consolidated preliminary injunction hearing, trial on meritsSubmit proposed order with findings and conclusions“set forth the reasons for its issuance”“be specific in terms”“describe in reasonable detail … the act or acts to be restrained”Federal Rule 65(d)
54 Practice pointersMake injunction binding by service on “other persons…in active concert or participation with” the parties and their “officers, agents, servants, employees, and attorneys”Federal Rule 65(d)(2)
55 Practice pointersCourts have considerable discretion whether to award injunctive relief and how to fashion itMay win or lose on “intangible” factors: credibility and reasonableness of witnesses, parties, counsel
56 Federal computer crimes laws Electronic Communications Privacy Act (ECPA)Wiretap Act prohibits interception of communicationsStored Communications Act prohibits dissemination or reviewComputer Fraud & Abuse Act (CFAA)
57 Computer Fraud & Abuse Act Prohibits intentional access to computer without authorization, or beyond the scope of any authorityApplied to employee who erased data on company laptop before resigningInt’l Airport Ctrs., LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006)
58 De-CFAA-nated? U.S. v. Nosal, 676 F.3d 854 (9th Cir. April 2012) CFAA provides no remedy against disloyal employees who retrieved confidential information via company user accounts and transferred it to competitorBecause defendants were authorized to access the computer, access for an unauthorized purpose was not “without authorization” and did not “exceed authorized access”WEC Carolina Energy Solutions LLC v. Miller, 2012 U.S. App. LEXIS (4th Cir. July 26, 2012)CFAA provides no remedy against former employee who, before resigning, downloaded employer’s proprietary information at behest of competitorWEC policies prohibited using information without authorization or downloading to PC but did not restrict Miller’s authorization to access the information
59 Fourth Circuit’s rationale CFAA allows for criminal prosecutionBut the Copyright Act also criminalizes copying by unlicensed users and licensees exceeding scope of their authorizationOther “means to reign in rogue employees,” e.g., trade secret lawBut trade secret protection may have been destroyed
60 Damages for CFAA violations Must be > $5,000“any reasonable cost to any victim”Can include cost of computer forensic expert“cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense”Some courts require “interruption of service”Statutory provision:“any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service”
61 State computer crimes laws Prohibit “use” of computers “without authority”Typical remedies:Sealing the recordInjunctive reliefCosts and attorneys’ feesCan combine with common law claim for “trespass to chattels”Hacker reconstructed and sold competitor’s customer listRecord sealed under Virginia computer crimes statuteEx parte TRO and preliminary injunctionUPS, Inc. v. Matuszek, Case No. 1:97-cv (E.D. Va. 1997)
62 State computer crimes laws Former dealer accessed “dealers only” site, ordered to pay attorneys’ fees + cost of having forensic expert image and analyze computersNACCO Materials Handling Group, Inc. v. The Lilly Co., --- F.R.D. ----, 2011 U.S. Dist. LEXIS , 2011 WL (W.D.Tenn. Nov. 16, 2011)Licensee hired consultant to “work around” and avoid paying for undisclosed “authorization key” to relocate softwareFailure to disclose actionable under CFAA and Connecticut statuteRoller Bearing Co. of America, Inc. v. American Software, Inc., Case No. 3:07-cv (D. Conn.)
Your consent to our cookies if you continue to use this website.