2. Electronic Communications Privacy
Act and Employers (ECPA)
Enacted in 1986
Amends Omnibus Crime Control Act
Copyright 2001 Brett J. Trout
3. ECPA
Prohibits interception of e-mail
Prohibits access to stored e-mail
Allows Employers to monitor employees
Applies to both
Accessing database
Capturing keystrokes
Copyright 2001 Brett J. Trout
4. ECPA Title II
Prohibits intentional access of an electronic
communication service
Relates to any stored electronic communication
Email
Fax
etc.
Copyright 2001 Brett J. Trout
5. ECPA Title II Exceptions
Provider of the service
AOL
Employer
Etc.
Anyone with authorization
Express
Implied.
Copyright 2001 Brett J. Trout
6. ECPA Title III
Prohibits intentional interception of any
electronic communication
Makes it a crime to capture email while
enroute
Copyright 2001 Brett J. Trout
7. ECPA Title III Exceptions
Employee consented
impliedly
expressly
employment agreement
email policy
Employer interception must be in the ordinary
course of business
Copyright 2001 Brett J. Trout
8. ECPA Take Home
Employer can
Monitor stored e-mail
Intercept e-mail
Give Employees express notice
employment agreement
email policy
Monitor only in ordinary course of business
Stop reading if e-mail is personal
Copyright 2001 Brett J. Trout
9. Computer Fraud and Abuse Act
Enacted in 1984 to stem computer crime
Amended in 1996 (National Information
Infrastructure Protection Act) to criminalize:
Threats to computer networks
Release of viruses or worms
Hacking
Hijacking
Destructive ecommerce activity
Copyright 2001 Brett J. Trout
10. CFAA Makes it Illegal
To knowingly access a computer without
authorization
For fraudulent purposes
To access confidential information
To access financial information
To cause damage to a computer system
Copyright 2001 Brett J. Trout
11. Economic Espionage Act
Enacted in 1996
18 U.S.C. section 1831 et seq.
Makes it illegal to take or receive
trade secrets
Enacted to curb economic and
industrial espionage
Copyright 2001 Brett J. Trout
12. EEA
Civil Penalties
Injunction
Forfeiture of profits and instrumentalities
to government
Criminal Penalties
Injure or benefit - 10yr/250K/5M
Benefit foreign power – 15yr/500K/10M
Copyright 2001 Brett J. Trout
13. Hacking
According to PriceWaterhouseCooper
Hacking cost United States companies
$1.5 trillion in 2000
World Trade Center insurable loss
$50 billion
One year of hacking equals 30 Trade
Center attacks.
Copyright 2001 Brett J. Trout
14. Types of Hacking
Denial of Service Attack
Packet Sniffing
Spoofing
Keystroke Monitoring
Viruses
Cracking
Exploiting Holes
Diddling
Copyright 2001 Brett J. Trout
15. Denial of Service Attack
Any action to prevent server from functioning
Usually enlists unsecure computers to bombard
server with requests
Floods server
Prevents normal functioning
Difficult to track down
Copyright 2001 Brett J. Trout
16. Packet Sniffing
Internet information travels in packets with
“header”
Sniffer software searches for packets containing
these headers
Used to audit and identify network packet traffic
Can uncover passwords and/or usernames
Easy to do
Difficult to detect
Copyright 2001 Brett J. Trout
17. Spoofing
Pretending to be another user
Includes
Deceptive sender information (spam)
Deceptive use of username and/or
password
Copyright 2001 Brett J. Trout
18. Keystroke Monitoring
Inexpensive software
Installed on computer
Hardwired to computer
Allows
Reconstruction of user’s activity
Identification of usernames/passwords
Illegal
Copyright 2001 Brett J. Trout
19. Viruses
Software that
Modifies other software
Replicates itself
Sends itself on to other computers
Types
Replication
DOS
Data destruction
Copyright 2001 Brett J. Trout
20. Virus Prevention
Virus protection software
Only works if it is turned on
Constantly update
Keep apprised of latest viruses
Do not open attachments from unknown
senders
Copyright 2001 Brett J. Trout
21. Virus Prevention
Do not open files with extensions:
.exe
.vbs
.pif
Use Eudora, rather than Outlook
Copyright 2001 Brett J. Trout
22. Cracking
Defeating copy-protection
Determining passwords/usernames
Typically illegal
Copyright 2001 Brett J. Trout
23. Exploiting Security Holes
Microsoft XP e-wallet
Unauthorized users could get credit card
information
Microsoft Outlook
Vulnerable to viruses
Keep abreast of
New developments
Patches
Copyright 2001 Brett J. Trout
24. Diddling
Obtaining unauthorized access to
Modify
Delete
Set time bomb
Copyright 2001 Brett J. Trout
25. Insurance
Typically very expensive
Very good exercise to identify and address
problems
Copyright 2001 Brett J. Trout
26. Insurance
The number of companies who cited their
Internet connection as a frequent point of attack
has increased steadily from 47% in 1998 to 70%
in 2001.
Marsh Advantage America
Leisa Fox
www.netsecuresite.com
Copyright 2001 Brett J. Trout
27. Insurance
78% of companies acknowledged financial
losses due to computer breaches
37% of companies are willing or able to quantify
their financial losses
The most serious financial losses occur through
theft of proprietary information.
Marsh Advantage America-Leisa Fox
www.netsecuresite.com
Copyright 2001 Brett J. Trout
28. Misconceptions
I have staff in place who are keeping me safe
I have a firewall, so I’m protected
Our network is password protected, so I’m doing all I
can.
Our contracts transfer liability, so I have nothing to
worry about
My employees would never do anything to jeopardize
my companies data
Copyright 2001 Brett J. Trout
29. Risks
Legal Risks
Credibility Risks
Security Risks
Financial Risks
Marsh Advantage America-Leisa Fox
www.netsecuresite.com
Copyright 2001 Brett J. Trout
30. Legal Risks
Defense Costs - exaggerated because of the lack of
current case law
Inability to determine value of Intellectual Property
Copyright/Trademark Infringement
Libel/Slander & Defamation
Plagiarism
D&O suit for insufficient security measures
Regulatory Costs
Copyright 2001 Brett J. Trout
31. Security Risks
DigitalTerrorism
Internal Crime
External Crime
Virus Attacks
Marsh Advantage America-Leisa Fox
www.netsecuresite.com
Copyright 2001 Brett J. Trout
32. Credibility Risks
Organizationsthat experience security
breaches keep them quiet.
A breach can do grave damage to a
company’s reputation.
Marsh Advantage America-Leisa Fox
www.netsecuresite.com
Copyright 2001 Brett J. Trout
33. Financial Risks
Prior risks translate into costs:
Business Income Loss
Reconstruction of lost data
Investor Relationships
Defense Costs
Marsh Advantage America-Leisa Fox
www.netsecuresite.com
Copyright 2001 Brett J. Trout
34. Solutions
Identify & Prioritize the risks
Consider Technology Solutions
Consider Process/Policy Solutions
Transfer or Eliminate Risks that are to costly
to retain
Marsh Advantage America-Leisa Fox
www.netsecuresite.com
Copyright 2001 Brett J. Trout
35. Key People
The C’s - CEO’s, CFO’s, CTO’s, CSO’s, CIO’s
Human Resources
IT
Marketing
Legal Counsel
Risk Manager/Insurance Agent
Marsh Advantage America-Leisa Fox
www.netsecuresite.com
Copyright 2001 Brett J. Trout
36. Misconceptions
I have coverage under my package policy
I have an E&O Policy that covers it
I have an EDP Policy
Marsh Advantage America-Leisa Fox
www.netsecuresite.com
Copyright 2001 Brett J. Trout
37. Policies Cover
Policies may include coverage for:
Virus Attacks
Data reconstruction
Business Income Loss
Disaster Recovery
Defense Costs, etc.
Marsh Advantage America-Leisa Fox
www.netsecuresite.com
Copyright 2001 Brett J. Trout
38. Costs
Pricing varies greatly based on exposures.
Third party policies are vastly more affordable
than First party policies.
You can expect to pay anywhere from $7,500 to
$100,000 for a Cyber Risk Policy.
Marsh Advantage America-Leisa Fox
www.netsecuresite.com
Copyright 2001 Brett J. Trout
39. Internet Privacy
You have zero privacy anyway
Get over it.
Scott McNeally, Sun Microsystems CEO Wired
News (March 11, 1999)
Copyright 2001 Brett J. Trout
40. Internet Privacy Policy
Components
Notice of Data Collection – How, What,
Why
Choice – Partial or total “opt out”
Access to Data – Option to modify or
delete
Security
Copyright 2001 Brett J. Trout
41. Internet Privacy
Privacy Policy
Develop one today
Follow it
Designate IT privacy czar
Audit your policy - regularly
Copyright 2001 Brett J. Trout
42. Consumer Privacy Protection Act
Pending legislation
Mandates privacy collection procedures
Private Right of Action
$50,000 statutory damages
Punitive damages
Attorney fees
Something like this will become law
Copyright 2001 Brett J. Trout
43. Cookies
A computer science term
An opaque piece of data held by an
intermediary
Copyright 2001 Brett J. Trout
44. What is a Cookie?
HTTP header
Text-only string
Associated with your browser
Unique identifier
Cannot be used as a virus
Cannot access your hard drive.
Copyright 2001 Brett J. Trout
45. Doubleclick
Doubleclick used cookies to aggregate user
information
Users sued
SDNY Court held 3/28/2001
No violation
Copyright 2001 Brett J. Trout
46. Children’s Online Privacy
Protection Act
Requires the Federal Trade Commissioner to
issue and enforce regulations which
regulate the ability of Websites to collect
personal information from children under
the age of 13.
Copyright 2001 Brett J. Trout
47. COPPA
Passed into Law October 21, 1998
Covers personal information collected after
April 21, 2000
COPPA applies to
Web sites and online services
Targeted to, or know they are
Collecting data
From children under 13.
Copyright 2001 Brett J. Trout
48. COPPA Requirements
Post a privacy policy
Conspicuous
What data you collect
What you do with it.
Obtain verifiable consent from the child's parent
Before you collect any data. Importantly
Change in policy requires new consent
Copyright 2001 Brett J. Trout
49. COPPA Requirements
Give option to revoke consent
Allow parents to review data collected
Ensure security and integrity of the data you
collect.
Copyright 2001 Brett J. Trout
50. Gramm-Leach Bliley
Subjects “financial institutions” to certain
reporting and disclosure requirements
intended to ensure the personal and
financial privacy of customers
Copyright 2001 Brett J. Trout
51. “Financial Institution”
Lending, exchanging, transferring, investing for
others, or safeguarding money or securities;
Issuing or selling instruments representing
interests in pools of assets which a bank can
hold directly;
Engaging in any activity … so closely related to
banking or managing … as to be a proper
incident thereto.
Copyright 2001 Brett J. Trout
52. GLB Data Disclosure
Opt out
Prohibits disclosure by financial institution, without
allowing consumer to opt out.
Third party disclosure
Allowed for the purpose of permitting third party to
perform services for the financial institution.
Copyright 2001 Brett J. Trout
53. GLB Data Disclosure
Prohibits third party from disclosing nonpublic
personal information
Unless disclosure would be lawful if made directly to
such other person by the financial institution.
Prohibits sharing of account number
information for marketing purposes
Different requirements for different levels of
relationships.
Copyright 2001 Brett J. Trout
54. Health Insurance Portability and
Accountability Act
Forces health providers and insurers to use
technology in a more uniform, less
proprietary manner
Copyright 2001 Brett J. Trout
56. Areas of Focus
Technical Security Services
User authorization and authentication
Access control and encryption
Administrative Procedures
Formal security planning
Record maintenance and audits
Physical Safeguards
Security to building
Privacy for workstations handling patient information
Copyright 2001 Brett J. Trout
57. HIPPA
Can apply to both health care and non-health
care entities
Forces covered entities to uniformly transmit
and receive certain data electronically
Requires the use of standard identifiers (rather
than proprietary codes) to identify health care
providers, employers, health plans and patients
Copyright 2001 Brett J. Trout
58. Employers
Must have written policies and notify employees
of HIPPA policies
Must get consents to the release of certain
information in certain circumstances
Must give employees access to their medical
records
Must have contacts in place with providers to
insure that they safeguard information
Copyright 2001 Brett J. Trout
59. Employers
Identify stored health information and who has
access to it
Identify how the information is used and its
flow
Correlate all privacy policies
Standardize all relevant third-party provider
contracts
Copyright 2001 Brett J. Trout
60. European Union Directive on
Privacy
Effective 25 October 1998
Every EU must enact national law consistent
with the Directive
Many EU countries had privacy laws before the
Directive
Copyright 2001 Brett J. Trout
61. EU Directive
World-wide standard
Enforcement has begun in the U.S.
Copyright 2001 Brett J. Trout
62. Compliance
The Safe Harbor
Specific contracts blessed by European Data
Protection Authorities
Exceptions or derogations to the Directive
Copyright 2001 Brett J. Trout
63. Safe Harbor
Seven privacy principles issued by US
Department of Commerce on July 21, 2000 for
“personal data” collection
Copyright 2001 Brett J. Trout
64. Seven Provisions
Notice
Opt in
Opt out
Security
Maintain Integrity of Data
Procedure for Data Correction
Data Transfer
Copyright 2001 Brett J. Trout
65. Notice
Clear Language
Purpose of Collection
Contact information for inquiries or
complaints
To whom you disclose information
Options for limiting use and disclosure of
the information.
Copyright 2001 Brett J. Trout
66. Opt in/Opt out
Opt out
Disclosed to third party
Used for new purpose
Opt in
Sensitive information
Race, health, union membership, sexual preference
If disclosed to third party
If used for new purpose
Copyright 2001 Brett J. Trout
67. Security
Loss
Misuse
Unauthorized access
Disclosure
Alteration
Destruction.
Copyright 2001 Brett J. Trout
68. Maintain Integrity of Data
Reliable for intended use
Accurate
Complete
Current.
Copyright 2001 Brett J. Trout
69. Procedures For Correction
Correct, amend, or delete inaccurate information
Not necessary where:
Burden much greater than potential harm
Would compromise confidential information of
others
Copyright 2001 Brett J. Trout
70. Data Transfer
Must include
Notice Provisions
Choice Provisions
Agent must
Subscribe to the foregoing principles; or
Enter into a written agreement requiring agent
provide at least the same level of privacy protection
as provider
Copyright 2001 Brett J. Trout
71. Safe Harbor
Access
Individuals must have access to “their” information
Ability to correct or remove inaccurate information
“Disproportionate burden” exception
Enforcement
Mechanisms for investigating and resolving
complaints
Procedures for verifying privacy statements
Obligation to remedy problems
Copyright 2001 Brett J. Trout
72. EU Directive
Enforcement by competitors
Failure to comply could lead to cut-off in data
and actions against European partners
Copyright 2001 Brett J. Trout
73. Falling Under Safe Harbor
Self-certification on DOC website
Hard part - applying to business practices
Financial services firms cannot join Safe Harbor
unless under the FTC
Copyright 2001 Brett J. Trout
74. EU Directive
Over 40 countries now have substantial privacy
laws
Most either copy or comply with the EU Privacy
Directive
Copyright 2001 Brett J. Trout
75. EU Directive
Compliance requirement is real
Safe Harbor likely best but not only option
Don’t copy another company’s privacy policy
Copyright 2001 Brett J. Trout
76. What To Do
Audit current privacy practice
Develop EU Directive conforming policy
Comport practice with policy
Require Warranties & Indemnities from third
parties using your data
Encrypt data transmissions
Copyright 2001 Brett J. Trout
77. Privacy Technology
Establish Firewall
Monitor Cookies – turn off as appropriate
Run Virus Detection Software
Anonymizer
TRUSTe - will review your privacy policy
Asymmetric cryptography
Future technology
Platform For Privacy Preferences
Defines exactly the level of information disclosed
Copyright 2001 Brett J. Trout
78. Additional Steps
Security Policies
Rotate passwords
Monitor access and file transfer
Implement network vulnerability study
Implement a disaster recovery plan
Limit modification of workstation
Obtain insurance
Copyright 2001 Brett J. Trout