Lost in Cyberspace? Best Practices for Maintaining Security on the Internet and in the Cloud

Lost in Cyberspace? Preventing, monitoring, and responding to breaches of security and cyber attacks Reducing liability for compromises to third party data Special risks posed by social media and mobile devices “Best practices” Physical security Contractual agreements Policies and procedures “Damage control” Insurance Reporting obligations Accounting and valuation consequences Litigation options

The in-house perspective Handles regulatory and compliance issues Responsible for public sector/government contracting issues Significant experience with internal and government investigations Roberto Facundus Global Compliance Attorney salesforce.com, Inc.

The auditor’s perspective Certified Information Systems Auditor Extensive experience with IT security and privacy assessments, audits, and compliance Frequent speaker and author on risks associated with cloud computing Member of Grant Thornton Cyber Security Committee Orus Dearman, CISA Director, Advisory Services Grant Thornton LLP

The litigator’s perspective Litigated cutting edge issues ─ including computer crimes and trade secret matters ─ for past 28 years (22 in Richmond) Member of Privacy, Security & Information Management and Trade Secret Noncompete Practice Groups Chair of Foley D.C. office Litigation Department Michael J. Lockerby Partner Foley & Lardner LLP

The in-house perspective Detecting cyberattacks Facilities security Worldwide securities certifications Best practices User awareness training

What is Cloud Computing? Traditional On-premise Servers & Datacenters Engineers Energy Costs Pay for disruptive upgrades Not elastic Cloud On-demand Cloud company maintains IT infrastructure & costs Upgrades included Pay by subscription Scales with you

Phishing email 8 8

Phishing/Malware Email 9

Malware attack 10 10

11 11

Maximum Facilities Security 24/7/365 on-site security All doors, including cages, are secured through a combination of biometrics and/or proximity card readers Multiple security challenges required to reach Salesforce environment Low profile fully anonymous exteriors Digital camera (CCTV) coverage of entire facility Perimeter bounded by concrete bollards/planters A silent alarm and automatic notification of appropriate law enforcement officials protect all exterior entrances CCTV integrated with access control and alarm system Motion-detection for lighting and CCTV coverage 12 12

Worldwide Security Certifications ISO 27001 SSAE 16 (SOC 1, 2, and 3) GSA “Authority to Operate” PCI JIPDC (Japan Privacy Seal) Tuv (Germany Privacy Mark) SysTrust TRUSTe 13 13

Trust & Transparency Success is built on trust. And trust starts with transparency. Real-time information on system performance and security Live and historical data on system performance Up-to-the minute information on planned maintenance Updates on phishing, malware, and social engineering threats 14

User Awareness Training New Hire Training All employees and contractors Summary of security obligations Annual Training Class Must take a test and pass Newsletters Monthly publication to everyone Covers relevant and timely security topics

Best Practices Implement IP Restrictions Consider Two-Factor Authentication Secure Employee Systems Use malware/spyware utilities Strengthen Password Policies Require Secure Sessions (https://) Decrease Session Timeout Thresholds Identify a Primary Security Contact

The auditor’s perspective Overview of cloud computing Principal characteristics Types and models Why management is buzzing about this trend Risks of cloud computing Responding to a security breach

Principal characteristics Network enabled Abstraction of infrastructure Resource democratization Services oriented architecture Elasticity and dynamism of resources Utility model of consumption and allocation © Grant Thornton. All rights reserved. 18

Types and models Types of Clouds Models of Cloud Public Shared computer resources provided by an off-site third-party provider Private Dedicated computer resources provided by an off-site third party or use of cloud technologies on a private internal network Hybrid Consisting of multiple public and private clouds Models of Cloud Software as a Service (SaaS) Software applications delivered over the Internet Platform as a Service (PaaS) Full or partial operating system/development environment delivered over the Internet Infrastructure as a Service (IaaS) Computer infrastructure delivered over the Internet Desktop as a Service (DaaS) Virtualization of desktop systems serving thin clients, delivered over the Internet or a private Cloud © Grant Thornton. All rights reserved.

Why management is buzzing about this trend Cloud computing is the future of IT A new and flexible model for deploying technology Extremely reliable and infinitely scalable Cost benefits and ease of ownership Allows organizations to expand or contract as needs dictate Pay for only what you need at any given time © Grant Thornton. All rights reserved.

Potential risks What are the physical components of the “Clouds”? Data Centers: self-hosted, third-party, both, etc.? Network circuits and firewalls: who’s managing, who’s watching, etc.? Disaster preparedness and recoverability: is there a plan, is it tested, etc.? Who is aware of and managing vendor SLAs and are they adequate? © Grant Thornton. All rights reserved.

Potential risks (continued) Where is the data and how is it protected? In-flight, standing still / at-rest, etc.? Archives and back-up? Unintended uses? Data privacy and compliance? What is the tone at the top? Stakeholder knowledge of attributes and risks Have internal controls evolved effectively? Who is monitoring internal use of public cloud services? © Grant Thornton. All rights reserved.

Six additional risk areas Security Multi-tenancy Data location Reliability Sustainability Scalability © Grant Thornton. All rights reserved.

Security risks The cloud provider’s security policies are not as strong as the organization’s data security requirements Cloud systems which store organization data are not updated or patched when necessary Security vulnerability assessments or penetration tests are not performed to ensure logical and physical security controls are in place The physical location of organization data is not properly secured © Grant Thornton. All rights reserved.

Multi-tenancy risks Organization data is not appropriately segregated on shared hardware resulting in organization data being inappropriately accessed by third parties The cloud service provider has not deployed appropriate levels of encryption to ensure data is appropriately segregated both in rest and transit The cloud service provider cannot determine the specific location of the organization’s data on its systems Organization data resides on shared server space which might conflict with regulatory compliance requirements for the organization © Grant Thornton. All rights reserved.

Data location risks The organization is not aware of all of the cloud service provider’s physical location(s) The organization does not know where their data is physically or virtually stored The Cloud service provider moves organization data to another location without informing the organization Organization data is stored in international locations and falls under foreign business or national laws/regulations © Grant Thornton. All rights reserved.

Reliability risks The cloud service provider has quality of service standards which conflict with operational requirements During peak system activity times, the cloud service provider experiences system performance issues that result in the following: organization employees cannot access the organization’s data when needed Customers are unable to use the organization’s systems (such as placing an order on the organization’s web site) because of performance problems with the cloud provider © Grant Thornton. All rights reserved.

Sustainability risks In the event the cloud service provider goes out of business, the organization might not be able to retrieve the organization’s data. In addition, another third party might gain access/control of the organization’s data The cloud service provider does not have appropriate system recovery procedures in place in the event of a disaster The organization’s business continuity plan does not address the cloud’s service offering being unavailable Organization data is compromised as a result of a disaster © Grant Thornton. All rights reserved.

Scalability risks The cloud service provider’s systems cannot scale to meet the organization’s anticipated growth, both for a short-term spike and/or to meet a long-term strategy If the organization decides to migrate all or part of the organization’s system and/or data back in-house (or to another provider), the cloud service provider cannot (or will not) provide the data © Grant Thornton. All rights reserved.

Responding to a breach 2011 data breach statistics Breaches are costly Prevention Incident response Post incident activity © Grant Thornton. All rights reserved.

2011 data breach statistics Of 855 security breach incident investigations: 98% stemmed from external agents 81% utilized some form of hacking 69% incorporated malware 85% took a week or more to discover (92% by a third party) 97% were preventable through intermediate controls Source: Verizon RISK Team 2012 Data Breach Investigations Report © Grant Thornton. All rights reserved.

Breaches are costly 6M per event or $197 per record (Ponemon Institute) TJX 47M+ card numbers stolen, $200M+ in costs Hannaford Brothers and Sweetbay 4.2M card numbers stolen, 1,800 cases of fraud ABN Amro 2 million customer records "lost in mail" (DHL) DuPont $400M in trade secrets breached by inside © Grant Thornton. All rights reserved.

Prevention Best Practices: Establish a data security policy and promote organizational awareness Implement appropriate management, operational, and technical security controls Collect the minimum amount of personal information necessary to perform a job Adhere to local and federal data disposal laws © Grant Thornton. All rights reserved.

Incident response Prioritize: Consider the functional/information impact and recoverability of the incident Notify: Determine response requirements based on state law for physical possession, copied, or utilization of personal information Notify internal and external stakeholders including government agencies © Grant Thornton. All rights reserved.

Incident response (continued) Contain: Criteria for determining appropriate strategy Need for evidence preservation Service availability Time and resource requirements Duration of the solution (temporary vs. permanent) Source: NIST Special Publication 800-61 Revision 2, August 2012 © Grant Thornton. All rights reserved.

Post incident activity Lessons Learned Incident reporting Adherence to policies and procedures Corrective and preventable actions Symptoms and precursors for future monitoring Additional tools or resources needed to detect, analyze, and mitigate future incidents Source: NIST Special Publication 800-61 Revision 2, August 2012 © Grant Thornton. All rights reserved.

Resources The ABCs of Cloud Computing: A comprehensive cloud computing portal where agencies can get information on procurement, security, best practices, case studies and technical resources.(GSA / http://www.info.apps.gov) Successful Case Studies: A report which details 30 illustrative cloud computing case studies at the Federal, state and local government levels.(CIO Council / http://www.info.apps.gov/sites/default/files/StateOfCloudComputingReport-FINALv3_508.pdf) Cloud Computing Definition: Includes essential characteristics as well as service and deployment models.(NIST / http://csrc.nist.gov/publications/drafts/800-145/Draft-SP-800-145_cloud-definition.pdf ) Centralized Cloud Computing Assessment and Authorization: The Federal Risk and Authorization Management Program (FedRAMP) has been established to provide a standard, centralized approach to assessing and authorizing cloud computing services and products. FedRAMP will permit joint authorizations and continuous security monitoring services for government and commercial cloud computing systems intended for multi-agency use. It will enable the government to buy a cloud solution once, but use it many times.(CIO Council / http://www.fedramp.gov) © Grant Thornton. All rights reserved.

Resources (continued) Guidelines on Security and Privacy in Public Cloud Computing: This draft publication provides an overview of the security and privacy challenges pertinent to public cloud computing and points out considerations organizations should take when outsourcing data, applications, and infrastructure to a public cloud environment (NIST / http://csrc.nist.gov/publications/drafts/800-144/Draft-SP-800-144_cloud-computing.pdf) Cloud Security Alliance: To promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing. (https://cloudsecurityalliance.org/) CloudAudit - To provide a common interface and namespace that allows cloud computing providers to automate the Audit, Assertion, Assessment, and Assurance (A6) of their infrastructure (IaaS), platform (PaaS), and application (SaaS) environments. (http://cloudaudit.org/) © Grant Thornton. All rights reserved.

The litigator’s perspective Litigation: the nuclear option Lessons learned in litigation When litigation is unavoidable

Litigation: the nuclear option Unavoidable under certain circumstances Preliminary injunction may be only way to protect trade secrets If trade secrets are particularly sensitive, litigation may be “bet the company” case

Lessons learned in litigation Physical and electronic security Contract provisions Marking Exit interviews Computer forensics Use of the Internet When litigation is unavoidable: Obtaining preliminary injunctive relief Effective use of federal and state computer crimes laws

Physical and electronic security Locked or limited access Physically Electronically Restrict to those with “need to know” Forensic examination OEM’s use standard T&C. Use your bargaining power to bargain the warranties.

Contract provisions Employees and contractors Prospective merger or joint venture partners Suppliers Dealers, distributors and franchisees Covenant not to use, disclose, or copy Right of audit and inspection Consent to preliminary injunctive relief in court Choice of forum

“Marking” trade secrets Clearly identify confidential information Avoid over-designation Restrict copying (e.g., numbered paper copies, use of “security paper,” “read only” electronic copies)

Maintaining confidentiality Exit interviews with departing employees and dealers, distributors, or franchisees Review policies and procedures Obtain written certification of compliance

Trust, but verify Use computer forensic experts to monitor activity: During employment and upon departure During contract term and after termination or nonrenewal

Computer forensic experts Determine whether sensitive files were accessed, emailed, downloaded, printed Review email history Recover “deleted” files “Clone” computer hard drives of departing employees Ensure that employees have no “reasonable expectation of privacy” Written policies and procedures Periodic reminders Informed consent to monitoring

Trade secrets on the Internet? Early view: “Once a trade secret is posted on the Internet, it is effectively part of the public domain, impossible to retrieve.” RTC v. Lerma, 908 F. Supp. 1362, 1368 (E.D. Va. 1995) RTC v. Netcom, 923 F. Supp. 1231 (N.D. Cal. 1995) Later view: Not lost if publication “sufficiently obscure or transient or otherwise limited so that it does not become generally known to … potential competitors” DVD Copy Control Ass’n v. Bunner, 10 Cal. Rptr. 3d 185 (Ct. App. 2004)

Trade secrets on the Internet? Key circumstances: How long was it posted? How promptly did the owner act? Who saw it? How accessible and popular are the site? Where does it show up in response to search engine queries? How much was disclosed?

Preliminary injunctive relief Warranted in cases of actual or threatened use of trade secrets If trade secrets not yet disclosed or used, may be only remedy Prohibitory injunction Mandatory injunction: return of embodiments, assignment of patents

Preliminary injunctive relief Primary purpose to preserve “status quo” “last, actual peaceable uncontested status ” Is “status quo” that trade secrets already on the Internet or otherwise gone? Computer crimes laws require no showing of trade secret protection Effect of contractual arbitration provision What if no “carve-out” for preliminary injunctive relief? Authority that federal courts can preserve status quo pending arbitration Still good law now that most ADR rules authorize preliminary injunctive relief?

Ex parte seizure Federal IP law Trade secret law Lanham Act permits ex parte seizure of counterfeit goods 15 U.S.C. § 1116(d) Copyright Act permits temporary injunctive relief, impoundment (17 U.S.C. §§ 502, 503) Trade secret law No federal private right of action Fed. R. Civ. P. 64 preserves state law seizure remedies (state replevin statutes) UTSA, Restatement expressly authorize mandatory injunctions

Practice pointers Seek expedited trial and preliminary injunction preserving status quo Federal Rule 26(d): expedited discovery Federal Rule 65(a)(2): consolidated preliminary injunction hearing, trial on merits Submit proposed order with findings and conclusions “set forth the reasons for its issuance” “be specific in terms” “describe in reasonable detail … the act or acts to be restrained” Federal Rule 65(d)

Practice pointers Make injunction binding by service on “other persons…in active concert or participation with” the parties and their “officers, agents, servants, employees, and attorneys” Federal Rule 65(d)(2)

Practice pointers Courts have considerable discretion whether to award injunctive relief and how to fashion it May win or lose on “intangible” factors: credibility and reasonableness of witnesses, parties, counsel

Federal computer crimes laws Electronic Communications Privacy Act (ECPA) Wiretap Act prohibits interception of communications Stored Communications Act prohibits dissemination or review Computer Fraud & Abuse Act (CFAA)

Computer Fraud & Abuse Act Prohibits intentional access to computer without authorization, or beyond the scope of any authority Applied to employee who erased data on company laptop before resigning Int’l Airport Ctrs., LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006)

De-CFAA-nated? U.S. v. Nosal, 676 F.3d 854 (9th Cir. April 2012) CFAA provides no remedy against disloyal employees who retrieved confidential information via company user accounts and transferred it to competitor Because defendants were authorized to access the computer, access for an unauthorized purpose was not “without authorization” and did not “exceed[] authorized access” WEC Carolina Energy Solutions LLC v. Miller, 2012 U.S. App. LEXIS 15441 (4th Cir. July 26, 2012) CFAA provides no remedy against former employee who, before resigning, downloaded employer’s proprietary information at behest of competitor WEC policies prohibited using information without authorization or downloading to PC but did not restrict Miller’s authorization to access the information

Fourth Circuit’s rationale CFAA allows for criminal prosecution But the Copyright Act also criminalizes copying by unlicensed users and licensees exceeding scope of their authorization Other “means to reign in rogue employees,” e.g., trade secret law But trade secret protection may have been destroyed

Damages for CFAA violations Must be > $5,000 “any reasonable cost to any victim” Can include cost of computer forensic expert “cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense” Some courts require “interruption of service” Statutory provision: “any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service”

State computer crimes laws Prohibit “use” of computers “without authority” Typical remedies: Sealing the record Injunctive relief Costs and attorneys’ fees Can combine with common law claim for “trespass to chattels” Hacker reconstructed and sold competitor’s customer list Record sealed under Virginia computer crimes statute Ex parte TRO and preliminary injunction UPS, Inc. v. Matuszek, Case No. 1:97-cv-00744 (E.D. Va. 1997)

State computer crimes laws Former dealer accessed “dealers only” site, ordered to pay attorneys’ fees + cost of having forensic expert image and analyze computers NACCO Materials Handling Group, Inc. v. The Lilly Co., --- F.R.D. ----, 2011 U.S. Dist. LEXIS 143054, 2011 WL 5986649 (W.D.Tenn. Nov. 16, 2011) Licensee hired consultant to “work around” and avoid paying for undisclosed “authorization key” to relocate software Failure to disclose actionable under CFAA and Connecticut statute Roller Bearing Co. of America, Inc. v. American Software, Inc., Case No. 3:07-cv-01516 (D. Conn.)

Questions and answers

Contact information Roberto Facundus Global Compliance Attorney salesforce.com® [Address] Cell: 415.963.2864 rfacundus@salesforce.com

Contact information Orus Dearman, CISA Director, Advisory Services Grant Thornton LLP 2070 Chain Bridge Rd Vienna, Virginia 22182-2596 Direct: 703.637.4133 Cell: 202.491.6382 orus.dearman@us.gt.com

Contact information Michael J. Lockerby Foley & Lardner LLP Washington Harbour 3000 K Street, N.W. Washington, D.C. 20007 Direct: 202.945.6079 Cell: 804.399.6089 mlockerby@foley.com