The Manager’s Guide to Cybersecurity Law: Essentials for Today's Business

Preface

My nearly 40 years in the fields of cybersecurity, risk management, and disaster recovery have taught me some immutable truths. One of these truths is that failure to consider the law when developing a cybersecurity program results in a protective façade or false sense of security. You may be protecting your data, but you are not protecting your company. Showing you how to avoid the painful lesson of learning this truth too late is the reason I wrote this book.

This book shows you how to bridge the gap between cybersecurity programs and cybersecurity law. My vantage point is somewhat unique in that I am a board-certified information security practitioner with a criminal justice administration background. While I do not dispense legal advice here, my goal is to provide awareness of various legal considerations that managers should embrace. I do strongly recommend that after you have read this book, you sit with your legal department to begin the discussion of creating a closer relationship between your organization’s cybersecurity policies and practices and the law. We live in a litigious world and therefore must prepare ourselves for the eventuality of a cyber-related lawsuit.

Your company may have developed its cybersecurity program according to the letter of applicable security standards or industry regulations. But this usually leads to developing your program in a bubble when the law is not considered. My hope is that after reading this book, you will have a whole new way of thinking and approach to your company’s cybersecurity program. Applying what you learn about criminal and civil procedure as well as other lessons presented in this book will allow you to burst out of that bubble.

Because you have responsibility in your company to protect your company adequately against future cyber liability, you have a duty to think past security standards and regulatory controls to ensure your cybersecurity program complies with all laws and legal jurisdictions.

Finally, let me remind you that you should not act on any advice in this book without first seeking legal advice.

Tari Schreider

Atlanta, Georgia – Cheyenne, Wyoming

January 2017

Chapter 1

Introduction to Cybersecurity Law

A sense of excitement and anxiety rush over you simultaneously upon receiving an invitation to present your cybersecurity program to senior executives of your company. At last, you have achieved recognition for creating a cybersecurity program that meticulously follows industry standards! Your proposal has passed several independent assessments and even garnered approving nods from internal audit. Filled with confidence and thinking your life as a leader and manager in cybersecurity couldn’t be better, you embark enthusiastically on your carefully prepared presentation. Then, shortly after your opening remarks, your organization’s chief legal counsel chimes in, Have you ensured our cybersecurity program complies with and supports all the legal statutes we must adhere? Your answer to this question will get the immediate attention of the senior leadership of your company – and imprint the question of your subject-matter competency on their minds. As the champion of your organization’s cybersecurity program, your challenge is to answer this question skillfully in order to earn the confidence and respect of those with the authority to support and fund your cybersecurity initiatives.

This chapter will help you to:

•  Communicate effectively with your company’s legal counsel by having a working knowledge of how the US legal system applies to cybersecurity.

•  Seek out and implement ways to improve your company’s cybersecurity program to avoid post-cyberattack lawsuits.

•  Upgrade your cybersecurity policies to comply with state, federal, and regulatory statutes.

1.1 Infamous Cybercrimes

You may have seen many headlines, articles, or lists showcasing computer hacking and other cybercrime events; however, few focus on the cybercriminals who have been charged, prosecuted, and convicted for their cyber offenses. Before we begin our cybersecurity law journey, I think it only appropriate to offer some examples of what happened when the crime was over and the offenders were punished.

Significant cybercrime court cases of the past five years include:

•  October 18, 2012 – Top executives of Kolon Industries indicted for stealing Dupont’s Kevlar trade secrets. Using computers to copy intellectual property and then to destroy the data, Kolon pleaded guilty and paid $360 million in restitution. Several executives were sentenced to prison terms (E.I. DuPont de Nemours, 2011).

•  July 26, 2013 – Five Russian and Ukrainian hackers charged in $300 million crime from the theft and use of 160 million credit card numbers from Carrefour SA, JCPenney, JetBlue Airways, Visa, and others (Williams, 2015).

•  August 27, 2014 – Former acting director of cybersecurity at the US Department of Health and Human Services (HHS) convicted on child pornography charges. Ultimately he was sentenced to 25 years (Robinson, 2014).

•  December 17, 2015 – Six defendants from China, Germany, Singapore, and the US plead guilty to $100 million software piracy scheme. Over a period of six years 170,000 stolen Microsoft and Adobe activation keys were sold illegally (US Department of Justice, 2015).

•  September 1, 2016 – A Romanian hacker known as Guccifer received a 52-month prison sentence for 100 counts of unauthorized access to a protected computer and aggravated identity theft (US Department of Justice, 2016).

TIP: Use the examples above to compare with your security technologies and practices currently in place and ask yourself if your methods would have detected trade secret theft, hacker intrusions, a senior executive violating a security policy, use of pirated software, or employee identify theft.

1.2 Civil vs. Criminal Cybersecurity Offenses

As the manager of cybersecurity, you may need to deal with both civil and criminal cases.

•  Criminal cases will result from either an insider committing a cyber offense or an external party hacking into your computer systems.

•  Civil cases will arise from your organization suing a company, or they sue you for some harm caused by a cyberattack.

For both instances, your cyberseurity program will need to address each scenario. You must also be ready to be either the plaintiff or the defendant.

•  In a civil case, as the plaintiff, you would be claiming that some entity has failed to fulfill a legal duty. For example, you would be the plaintiff if your company is bringing suit against a cloud service provider that exposed your customers’ data due to an incorrectly configured firewall.

•  As a defendant, an entity would be accusing your organization of the same. In criminal cases, the government or a private entity will bring the case against you (the defendant), and your role will be to gather evidence to disprove the alleged offense. For example, you will be the defendant if a class action lawsuit is brought against your company following a hacking incident where customer data was stolen.

By now, you should be contemplating how to ensure your cybersecurity program supports these legal scenarios. The determination of whether it is a civil or criminal matter begins with the establishment of the crime.

1.2.1 Clarifying the Definition of Cybercrime

No universal definition of cybercrime exists; however, a general consensus exists that cybercrime falls into two categories. The first category is current crimes that are now committed using computers and networks. The second includes crimes that have specifically evolved in the computer age and use sophisticated methods to commit crime. Definitions of cybercrime have fundamental similarities in a broad sense; however, a diverse array of opinions nonetheless exists.

•  Not surprising many courts also have varying interpretations of cybercrime including how to even spell the term with it often referred to as cyber crime, cyber-crime, or cybercrime.

•  Contributing to the disparity of definitions is the changing landscape of technology. Cloud computing, software-defined infrastructure, and outsourcing have all but obliterated many definitions of cybercrime. A clear and concise definition of cybercrime establishes the proper foundation for developing policies and practices to detect, prevent, and mitigate offenses. I will discuss more about policy creation in Chapter 6.

An understandable definition of cybercrime bridges the gap between the law and your cybersecurity program and brings clarity to the portions of your cybersecurity program that address criminal offenses.

1.2.2 Challenging Your Current Definition of Cybercrime

Is the current description of the crimes clear and concise enough to create actionable policies and practices? Many definitions just state that computer crime is the commission of a crime through the use of equipment and networks. I argued just such a point with a client once and even performed a breach of security simulation to prove the point. The exercise consisted of USB sticks strewn across their parking lot, with the hope that a few unsuspecting employees would pick them up and attempt to read the data. Approximately a dozen employees were detected by the client’s endpoint security software plugging the USB sticks into their computers. The exercise showed that no crime had been committed according to their definition as neither a computer nor a network was used to commit the offense. Their legal department agreed and subsequently made modifications to their definition of cybercrime. How do you feel your employees would do with a similar test?

1.2.3 Creating a Strong Cybercrime Definition

Depending on geographical location and jurisdiction, cybercrime definitions vary. You will want your cybercrime definition to hold true regardless of the rapidity of legislative and technological change, as well as adhere to multiple legal jurisdictions. Consider peer-testing your cybercrime with a definition that I have developed over my career of working with numerous companies. This definition has evolved from dozens of legal department reviews:

Cybercrime is a criminal act in which computerized equipment, automated service, or communications mechanism is either the object or the means of perpetrating legal or regulatory restricted or prohibited offenses.

Such a definition has a number of advantages:

•  Including the word offenses in the definition rather than citing specific examples such as theft or fraud makes the definition timeless.

•  The use of the words equipment, service, and communications frees the definition from being dependent on specific technologies.

•  You will not need to cite specific examples such as cybertheft or computer fraud in your definition, as those examples will always be a crime regardless of a cyber component.

To ensure that your cybersecurity program defines cybercrime adequately in an actionable sense, be sure to validate the definition with your company lawyers.

1.2.4 Cybercrime Categories in the Incident Response Plan

Once you have a vetted and approved cybercrime definition, don’t forget about identifying the likely types of cybercrimes to which your organization is exposed. Naming cybercrimes within the definition will burden the description unduly by limiting its applicability and usefulness, which is why it is important to identify them separately. The proper place to address the identified cybercrimes is in your company’s incident response plan, a set of instructions or tasks specifying the actions necessary to respond to a specific security emergency. Emergencies could include virus outbreaks, loss or theft of an employee-assigned laptop containing sensitive information, or a ransomware attack. Using a risk assessment as your guide, focus on the cybercrimes with the highest possible likelihood of occurrence which have a correspondingly high potential of impact.

To aid in the identification of cybercrimes, you will find it helpful to examine the four primary categories:

1.  Personal Cybercrimes. These types of crimes target people and consist of cyberbullying, cyberstalking, identity theft, identity impersonation, fraud scams, data theft, ransomware attacks, etc.

2.  Institutional Cybercrimes. These types of crimes target companies or governments and consist of denial of service attacks, cybervigilantism, cyber terrorism, cyber-slander, hacktivism, website defacement, etc.

3.  Property Cybercrimes. These types of crimes target digital property and consist of data theft, computer sabotage, data destruction, etc.

4.  Inchoate Cybercrimes. Inchoate is a specific legal term that is used to describe crimes that have been started, but not completed. An example of this type of crime would be where a hacker has completed the initial steps of an attack of a network or computer (target). These steps could include scanning a target for potential vulnerabilities, verifying the vulnerabilities exist on the target, and installing malicious software to siphon away confidential data. In this example, all the hacker would need to do to complete the crime is activate the malicious software remotely. What would make this an inchoate crime is that the last step of activating the malicious software is never completed. Despite the fact that such crimes are incomplete and no harm as yet occured, they were nonetheless attempted, demonstrating a substantial criminal effort was under way. Inchoate crimes also include cyber conspiracy, cybersolicitation, cyberstalking, and other types of attempted crimes.

TIP: The tone and scope of a cybersecurity program start with a proper cybercrime definition. The definition will shape the construction of information and asset protection policies and practices. Address specific high-risk cybercrimes within your incident response plan.

1.3 Understanding the Four Basic Elements of Criminal Law

It would be nearly impossible to build connections to the law in your cybersecurity plan without at least knowing the fundamentals of criminal law. If you know how the legal system determines guilt or innocence, you can better create a cybersecurity program with appropriate enforcement mechanisms.

One of the biggest disconnects in cybersecurity programs and the law is in the area of security policies. You will need to ask yourself if the security policies of your company hold employees to a higher standard than the law or if you would terminate an employee violating a policy without criminal intent. Policies will be discussed more in Chapter 6.

The four elements of criminal law which you should be familiar with are mens rea, actus reus, concurrence, and causation. It is advisable for you to use these four elements of criminal law as your security policy enforcement standard to avoid legally contested terminations resulting from a security policy violation.

1.3.1 Mens Rea

The first element of criminal prosecution is proving mens rea or a guilty state of mind of the offender. However, as cybercriminals operate remotely and generally without witnesses, it is nearly impossible to prove their intent or state of mind during the commission of their hacking into a computer system or network. You may also think of this as the evil intent of the offender.

1.3.2 Actus Reus

Actus reus is the second and the most critical element of pursuing a case against an unknown subject (unsub) or perpetrator. Simply put, actus reus is the criminality of the offense itself where law enforcement collects the evidence and witness testimony necessary to prove beyond a reasonable doubt that one or more individuals committed the crime. Unfortunately, existing laws all but make it impossible for prosecutors to establish actus reus due in part to the ease with which criminals can cover their digital tracks or evidence. Uncovering evidence requires highly experienced forensic investigators. See Chapter 4 for more detail on digital forensics.

1.3.3 Concurrence

The third element of a crime is concurrence. As if mens rea and actus reus were not difficult enough to determine individually, prosecutors also need to show they occurred at the same time – the element of concurrence. Offenders cannot be found guilty without a direct connection between the mens rea and actus reus elements of a crime, or in other words they had the intent to violate a law as well as cause harm. Early computer criminals were often found not guilty because prosecutors could not prove both their evil intent and evil acts.

1.3.4 Causation

Causation is the fourth element of an offense and one of the most difficult to prove. Here, prosecutors must prove the criminal activity and the outcome or detrimental effects of that activity. Causation is essentially actus reus in association with harm. The difference between the elements of concurrence and causation may seem subtle, but it is significant. Concurrence just means that two things must happen at the same time. Causation is the conduct of the perpetrator and the result of his or her act. You may think of this as the harm caused to people or property as a result of a criminal activity.

1.4 Branches of Law

You will encounter three basic types of law in cybersecurity: public, private, and regulatory.

•  Public cyberlaw refers to cybercriminals and the government. Public law is part of the criminal legal system allowing the government to bring an action against those that violate cybersecurity and privacy laws.

•  Private cybersecurity law applies to companies with respect to their obligations and contracts. Private law, part of the civil legal system, allows companies to resolve common law disputes also called tort law.

•  Regulatory law, also known as administrative law, sets out the rules and regulations prescribed by various governmental agencies.

1.5 Tort Law

Up to this point, you have learned how cyberlaw relates to criminals, but how does cybersecurity law relate to your organization? Organizations can be held liable for a cyberattack. The last thing you would want to occur after surviving an attack is to face a lawsuit for causing and contributing to the cyberassault.

A tort is a civil wrong that happens when a group or individual