Being a Victim can be a Crime [Ain’t Losin’ Data a Breach?]

Presented at THOTCON 0x6 (2015), May 15, 2015, 3 p.m. (25 minutes)

Data scientists, heuristic analysis, APTs, ransomware; no doubt information security intrigues us with sexy wrapping. The unfortunate reality is that the bulk of a security engineer’s laborious task of protecting sensitive information is spent on basic blocking and tackling, while being bound by governmental and regulatory rules. Regardless of the lens through which you view your work, reducing information systems risk to an acceptable level is your job. That risk includes a legal aspect. My THOTCON session will prepare you for the challenges (and too often, the surprises) of legal risk. The most troubling legal challenge for Information Security and Risk Management teams has its roots in privacy law. Privacy law addresses both data protection and data breach notifications. Jurisdiction complexity compounds the legal challenge. I’ll elaborate using an extreme case such as a law firm with healthcare, banking and intellectual property practices. As their attorney, the law firm will be storing their clients’ customer/client/patient data [including personal identification information, financial information and healthcare information]. In the Information Age, doing business on the Internet results in customers that may well be geographically dispersed, sometimes even globally. From a governmental perspective, the law firm may have unique data breach notification requirements that encompass all 50 United States, Europe and the Pacific Rim. Privacy legislation is evolving beyond data breach notifications. As an example, Kentucky's new data protection law will also provide protection on how student data that is stored in the cloud may be used. Almost all of the United States have more than one new privacy law pending and to further complicate your legal responsibilities, government is only one-side of the jurisdictional complexity equation. An IT organization may also be scrutinized by one or more regulatory standards such as PCI, GLBA, HIPAA, CJIS or others, which are also on a trend towards stricter requirements. Once you’ve gained comprehensive knowledge of privacy law, you’ll need to integrate those legal requirements into your Incident Response Plan. On that note, after all you have invested in protecting sensitive data, I expect you will want to go for the throat of the guilty culprit. Just like our real world, "CSI cyber-space" must adhere to the legal requirements of the judicial system. Event logs are an excellent form of evidence during prosecution, but only if you’ve documented the chain of custody, including hash files that can prove your electronic evidence was not tampered with. Legal battles aren’t always us versus them. Employer – employee relationships include a legal perspective that cannot be overlooked. Providing employees with internet access is a double-edge sword. A lack of internet access is a huge turn off for most young employment candidates. Unfortunately, employers who open up their internet connection to employees, may well be opening up Pandora’s Box. Consider the potential for productivity to tank when an employee’s workspace becomes a virtual hang out with friends on Facebook. What legislation [if any] addresses employees posting sensitive corporate data or negative comments pointed at their employer on social networking sites? Freedom of speech? What is legally acceptable in a work contract? How can corporate policy prevent employee initiated corporate damage? Now consider that it’s a two way street: employers are beginning to demand candidate employees’ social networking credentials. Is this legal? GPS on your mobile device? Are you being tracked? Stalked? It is important that both employers and employees be aware of the legal aspect of internet activity and protection of sensitive data, while concurrently respecting privacy. What will the future hold? Is it possible that someday the company will be held liable if an employee doing personal banking on a corporate workstation over the company’s internet connection becomes the victim of fraud? Can an employee’s perception of the company’s "secure internet connection" result in the employer’s responsibility? If we still have time and the audience has interest, I will be prepared to address the significant increase in cybersquatting due to ICANN [The Internet’s governing body] promoting an influx of new top level domains. There are laws to protect your Web trademark [aka domain name]. Know them so your company can protect their hard earned, marketing investment. The legal vector intersects our information security endeavor at numerous touch points. During my THOTCON session I will address each point, while connecting the dots and thereby arming you with a holistic picture of the legal aspect of information security.


  • Anthony Czarnik
    Currently, Anthony Czarnik leads CzarTek [], an information security and compliance firm, which he founded at the beginning of 2014. For SMB clients, CzarTek provides vCISO services, which includes addressing clients’ legal IT risk. Major services include risk assessments and formal information security program development. Relevant to his proposed THOTCON presentation, Anthony develops incident response plans which address data breach notifications, FBI involvement and court-admissible electronic forensic evidence. For municipalities, CzarTek also provide CJIS [Criminal Justice Information Systems] compliance services. The CzarTek team includes security engineers and GRC consultants / auditors. They provide security controls testing [pen testing, etc.] and compliance services [ISO 27001/2 Certification Readiness Assessments, etc.]. Prior to CzarTek, Anthony led the security practice at Savid Technologies for five years. Mr. Czarnik recently completed a course on Cyber Law at John Marshall Law School. His thesis addressed the legal risk associated with information systems and sensitive data, including the effect of a data breach. The geographical scope comprehensively covered global personal information including government jurisdiction internationally down through each U.S. state. Data breach notifications, regulatory non-compliance fines and legal requirements for court admissible forensics evidence were also addressed. Anthony’s unique blend of education, experience, insight, professionalism [balanced with a dark side] makes him a natural fit for the THOTCON stage.

Similar Presentations: