Hostname: page-component-cd9895bd7-jn8rn Total loading time: 0 Render date: 2024-12-27T06:45:18.687Z Has data issue: false hasContentIssue false

Policy Development and Frameworks for Cyber Security in Corporates and Law Firms

Published online by Cambridge University Press:  16 November 2018

Abstract

Despite an ongoing drive by organizations around the world to improve the sophistication of their risk mitigation measures, cyber-attacks are continually increasing. A study by Panda Labs shows in Q3 in 2016 alone, 18 million new malware samples were captured.2 Another study from Computer Crime and Intellectual Property Section (CCIPS) shows more than 4,000 ransomware attacks occurred daily in 2016. That's a 300% increase over 2015, where 1,000 ransomware attacks were seen per day.3 These studies reflect the double effect of technology—connecting the world and facilitating cyber-attacks simultaneously.

Type
Articles
Copyright
Copyright © The Author(s) 2018 

Access options

Get access to the full version of this content by using one of the access options below. (Log in options will check for institutional or personal access. Content may require purchase if you do not have access.)

Footnotes

1

© Hala Bou Alwan 2018. The author holds an LLM from Université La Sagesse, Furn-El-Chebak, Lebanon and is currently earning her Executive LLM from Boston University, Massachusetts, USA. This paper was supervised by Professor Virginia Greiman of Boston University.

2

Panda Media Centre, PandaLabs detects 18 million new malware samples in the second quarter of the year, July 28, 2016 https://www.pandasecurity.com/mediacenter/panda-security/18-million-new-malware-samples-in-the-second-quarter/

3

Computer Crime and Intellectual Property Section, How to Protect Your Networks from Ransomware, The U.S. Department of Justice, https://www.justice.gov/criminal-ccips/file/872771/download (last visited Feb. 16 2018).

References

4 NCA Strategic Cyber Industry Group, Cyber Crime Assessment 2016, 7 July 2016, http://www.national-crimeagency.gov.uk/publications/709-cyber-crime-assessment-2016/file.

5 National Institute of Standards and Technology, Glossary, https://csrc.nist.gov/Glossary/?term=190.

6 NIST Releases Update to Cybersecurity Framework, NIST, January 10, 2017 https://www.nist.gov/news-events/news/2017/01/nist-releases-update-cybersecurity-framework

7 Cybersecurity standards and certification, European Union Agency for Network and Information Security, 2018 https://www.enisa.europa.eu/topics/standards.

8 Cyber Resilience Review (CRR): NIST Cybersecurity Framework Crosswalks, Homeland Security February 2016 https://www.us-cert.gov/sites/default/files/c3vp/csc-crr-nist-framework-crosswalk.pdf.

9 National Institute of Standards and Technology, Glossary, https://docplayer.net/5903909-Austrian-cyber-security-strategy.html. (Last visited Oct. 12, 2018).

10 EastWest Institute, Russia-U.S. Bilateral on Cybersecurity: Critical Terminology Foundations, April 26, 2011).

11 A plan blog, A 3 billion users were affected by Yahoo Cyber breach, A-Plan, https://blog.aplan.co.uk/yahoo/. (Last visited Oct. 12, 2018).

12 Jonathan Stempel, Jim Finkle, Yahoo says all three billion accounts hacked in 2013 data theft, Reuters, Oct. 3, 2017, https://www.reuters.com/article/us-yahoo-cyber/yahoo-says-all-three-billion-accounts-hacked-in-2013-data-theft-idUSKCN1C82O1. (Last visited Oct. 12, 2018).

13 Nicole Perlrotho, All 3 Billion Yahoo Accounts Were Affected by 2013 Attack, New York Times, Oct. 3 2017, https://www.nytimes.com/2017/10/03/technology/yahoo-hack-3-billion-users.html. (Last visited Oct. 12, 2018).

14 Jonathan Stempel, Morgan Stanley pays $1 million SEC fine over stolen customer data, Reuters, June 8, 2016, https://www.reuters.com/article/us-morgan-stanley-sec/morgan-stanley-pays-1-million-sec-fine-over-stolen-customer-data-idUSKCN0YU27J (last visited Feb. 15, 2018).

15 Michael Riley, Glen Carey, John Fraher, Destructive Hacks Strike Saudi Arabia, Posing Challenge to Trump Bloomberg Technology, https://www.bloomberg.com/news/articles/2016-12-01/destructive-hacks-strike-saudi-arabia-posing-challenge-to-trump, Dec. 1, 2016. (Last visited Oct. 12, 2018).

16 Ed Clowes, Destructive computer virus ‘Shamoon’ hits Saudi Arabia for third time, Gulf News, Jan. 30, 2017, http://gulfnews.com/business/sectors/technology/destructive-computer-virus-shamoon-hits-saudi-arabia-for-third-time-1.1970590. (Last visited Oct 12, 2018).

17 David Jones, Jim Finkle, U.S. indicts hackers in biggest cyber fraud case in history, Reuters, July 25, 2013, https://www.reuters.com/article/us-usa-hackers-creditcards/u-s-indicts-hackers-in-biggest-cyber-fraud-case-in-history-idUSBRE96O0RI20130725 (last visited Feb. 15, 2018).

18 Substantive cybercrime laws (e.g., laws prohibiting online identity theft, hacking, intrusion into computer systems, child pornography, intellectual property, online gambling): 18 U.S.C. § 1028—Fraud and related activity in connection with identification documents, authentication features, and information 18 U.S.C. § 1028A—Aggravated identity theft 18 U.S.C. § 1029—Fraud and related activity in connection with access devices 18 U.S.C. § 1030—Fraud and related activity in connection with computers 18 U.S.C. § 1037—Fraud and related activity in connection with electronic mail 18 U.S.C. § 1343—Fraud by wire, radio, or television 18 U.S.C. § 1362—[Malicious mischief related to] Communications lines, stations, or systems 18 U.S.C. § 14//62—Importation or transportation of obscene matters 18 U.S.C. § 1465—Transportation of obscene matters for sale or distribution 18 U.S.C. § 1466A—Obscene visual representation of the sexual abuse of children 18 U.S.C. § 2251—Sexual exploitation of children 18 U.S.C. § 2252—Certain activities relating to material involving the sexual exploitation of minors 18 U.S.C. § 2252A—Certain activities relating to material constituting or containing child pornography 18 U.S.C. § 2252B—Misleading domain names on the Internet [to deceive minors] 18 U.S.C. § 2252C—Misleading words or digital images on the Internet 18 U.S.C. § 2425—Use of interstate facilities to transmit information about a minor 18 U.S.C. § 2319—Criminal infringement of a copyright 17 U.S.C. § 506—Criminal offenses [related to copyright] 47 U.S.C. 605—Unauthorized publication or use of communications The Unlawful Internet Gambling Enforcement Act of 2006 .Procedural cybercrime laws (e.g., authority to preserve and obtain electronic data from third parties, including internet service providers; authority to intercept electronic communications; authority to search and seize electronic evidence): 18 U.S.C. §§ 2510-2522—Interception of wire, oral, or electronic communication 18 U.S.C. §§ 2701-2712—Preservation and disclosure of stored wire and electronic communication 18 U.S.C. §§ 3121-3127—Pen registers and trap and trace devices

20 P Kasperowicz, House votes to streamline cross-state insurance sales, thehill.com, Oct. 9, 2010 http://thehill.com/blogs/floor-action/house/321375-house-votes-to-streamline-cross-state-insurance-sales. (Last visited Oct. 12, 2018).

21 H.R.4289 - Department of Homeland Security Interoperable Communications Act, Congress.Gov, March 24, 2014 https://www.congress.gov/bill/113th-congress/house-bill/4289. (Last visited Oct. 12, 2018).

22 Xavier Becerra, Data Security Breach reporting, Office of the Attorney General, 2016, https://oag.ca.gov/privacy/databreach/reporting

23 COMPUTER FRAUD AND ABUSE ACT: (CFAA) (18 U.S.C. § 1030) is the main federal criminal statute regulating hacking and other computer crimes. The CFAA generally criminalizes: Accessing computers without, or in excess of, authorization. Using unlawfully accessed computers to obtain information that defrauds or causes loss or damage to another or the US government. In United States of America v. Aaron Swartz, Aaron Swartz, an American computer programmer, writer, political organizer and Internet activist, was prosecuted for many violations of the Computer Fraud and Abuse Act of 1986 (CFAA), after downloading a great many academic journal articles through the MIT computer network from a source (JSTOR) for which he had an account as a Harvard research fellow. Facing trial and the possibility of imprisonment, Swartz committed suicide, and the case was consequently dismissed

Protected Computers under the CFA: The CFAA governs cases involving protected computers, which are defined as computers that meet one or more of the following criteria: Exclusively used by a financial institution or the US government, and where the offense affects the computers' use by or for a financial institution or the US government. Used in or affecting interstate or foreign commerce or communication. This includes use of computers located outside the US that affects: interstate or foreign commerce; or communication within the US.

Wiretap Act and Electronic Communications Privacy Act- Randall David Fischer v. Mt. Olive Lutheran Church, et al.207 F. Supp.2d 914 (W.D. Wis., March 28, 2002)

Stored Communications Act: (SCA) makes it illegal to intentionally access, without or in excess of authorization, a facility through which an electronic communication service is provided, to obtain or prevent authorized access to a wire or electronic communication while it is in storage in the facility. Carpenter v. United States

DMCA Anti-Circumvention: The DMCA prohibits the: Circumvention of technological, anti-piracy measures built into most commercial software to control access to copyrighted works. Universal City Studios, Inc. v. Corley, 273 F.3d 429(2d Cir. 2001)

Racketeer Influenced and Corrupt Organizations Act (RICO Act): The RICO Act provides criminal penalties, including up to 20 years’ imprisonment, for acts performed as part of an ongoing criminal organization. Specifically, the RICO Act penalizes those engaged in a pattern of racketeering activity, which includes at least two acts of fraud and related activity in connection with Identification documents. Boyle v. United States (07-1309)-2007

SEC Office of Compliance, Inspections and Examinations (OCIE)

Financial Industry Regulatory Authority (FINRA)

Gramm-Leach Bliley Act (GLBA): Under the GLBA, financial institutions are required to “establish appropriate standards” to safeguard a customer's personal financial information, in order: “(1) to insure the security and confidentiality of customer records and information; (2) to protect against any anticipated threats or hazards to the security or integrity of such records; and (3) to protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer. Landry v. Union Planters Corp., 2003 WL 21355462 at * 3 (E.D.La. 2003) (quoting H.R. Rep. No. 106-434, at 245 (1999), reprinted in 1999 U.S.C.C.A.N. 245, 245) (emphasis added)”

Payment Card Industry Data Security Standard (PCI DSS) : The PCI DSS is not necessarily a “law” but a list of cyber security standards applied to any U.S. company that processes credit cards, such as a retailer or a financial institution. The list focuses on, among other general requirements, the need to “develop and maintain secure systems and applications,” and the need to “track and monitor all access to network resources and cardholder data.” TJX Companies Inc. V Framingham

Health Insurance Portability and Accountability Act of 1996 (HIPAA): Under HIPAA, a healthcare facility must protect against any reasonably anticipated threat or hazard to the security or integrity of such healthcare information. Under HIPAA, fines can range from $50,000 to $250,000 as well as civil litigation exposure. 7 Whalen v. Rose 429 U.S. 589, 599 (1977)

Health Information Technology for Economic and Clinical Health Act (the HITECH Act): The HITECH Act expands the scope of the institutions covered under HIPAA to now include any organization or individual who handles protected healthcare information, which could now include banks, businesses, schools and other organizations.

24 18 U.S. Code § 1030 - Fraud and related activity in connection with computers, Legal Information Institute, Cornell Law School https://www.law.cornell.edu/uscode/text/18/1030. (Last visited Oct. 12, 2018).

25 Details of Treaty No. 185, Convention on Cybercrime, Council of Europe https://www.coe.int/en/web/-conventions/full-list/-/conventions/treaty/185. (Last visited Oct. 12, 2018).

26 Aaron Kelly, Cybercrime laws in the United States, Kelly/Warner, 2017, http://www.aaronkellylaw.com/-cybercrime-laws-united-states/. (Last visited Oct. 12. 2018).

27 Bureau of Experts at the Council of Ministers, Kingdom of Saudi Arabia, 2017, https://boe.gov.sa/Main-Default.aspx?lang=en. (Last visited Oct. 12, 2018).

28 Cyber Security Framework, Saudi Arabian Monetary Authority, May 2017, http://www.sama.gov.sa/en-US/Laws/BankingRules/SAMA%20Cyber%20Security%20Framework.pdf. (Last visited Oct. 12, 2018).

29 Federal Decree-Law no. (5) of 2012, Issued on 25 Ramadan 1433 AH, Corresponding to 13 August 2012 AD, ON COMBATING CYBERCRIMES, United Arab Emirates Ministry of Justice, http://ejustice.gov.ae/downloads/latest_laws/cybercrimes_5_2012_en.pdf. (Last visited Oct. 12, 2018).

30 Federal Law No. (3) of 1987 Concerning Promulgating Penal Code, https://www.centralbank.ae/pdf/amlscu-/Federal-Law-No.3-1987.pdf. (Last visited Oct. 12, 2018).

31 Ministry of the Interior, The International Cyber Crime Conference to Start March 16, March 15, 2016, https://www.moi.gov.ae/en/media.center/news/news2k20160315.aspx. (Last visited Oct. 12, 2018).

32 Info Security magazine - https://www.infosecurity-magazine.com/opinions/cybercrime-is-now-big-business/. (Last visited Oct. 12, 2018).

33 Mark Hosenball, CIA to make sweeping changes, focus more on cyber ops: agency chief, Reuters, March 6, 2015, https://www.reuters.com/article/us-usa-cia/cia-to-make-sweeping-changes-focus-more-on-cyber-ops-agency-chief-idUSKBN0M223920150306. (Last visited Oct. 12, 2018).

36 Cybersecurity Framework: 2.1 Framework Core, Version 1.0, pp10, Feb. 12 2014, NIST https://www.nist.gov/sites/default/files/documents/cyberframework/cybersecurity-framework-021214.pdf. (Last visited Oct. 12, 2018).

37 National Institute of Standards and Technology (NIST), Cybersecurity Framework, https://www.nist.gov/cyberframework. (Last visited Oct. 12, 2018).

38 The 2017 State of Cybersecurity Metrics Annual Report, Thycotic, 2017, https://thycotic.com/wp-content/uploads/2013/03/2017-Cyber-Security-Strategy-Metrics-Report.pdf. (Last visited Oct. 12, 2018).

39 Federal Trade Commission - FTC Seeks Public Comment on Sears Holdings Management Corporation Petition to Reopen and Modify Commission Order Concerning Online Browsing Tracking (Nov. 8, 2017)

Federal Trade Commission - FTC Earns Prestigious International Award for AshleyMadison.com Data Breach Investigation (Sept. 27, 2017)

Federal Trade Commission - Operator of Online Tax Preparation Service Agrees to Settle FTC Charges That it Violated Financial Privacy and Security Rules (Aug. 29, 2017)

Federal Trade Commission - VIZIO to Pay $2.2 Million to FTC, State of New Jersey to Settle Charges It Collected Viewing Histories on 11 Million Smart Televisions without Users’ Consent (Feb. 6, 2017).

40 Kenneth C. Johnston, Dan Klein, The February 2016 California Attorney General's Data Breach Report Sets a Standard for “Reasonable Security”—What Does This Mean for Cybersecurity Litigation?, American Bar Association, May 2016.

41 What is a cyber tort?, Millstone, Peterson & Watts LLP, June 17, 2016 https://www.mpwlaw.net/blog/2016/06/what-is-a-cyber-tort.shtml. (Last visited Oct. 12, 2018).

42 Rustad, Michael L., Global Internet Law (2016). Global Internet Law, West Academic Publishing (Hornbook Series), 2nd ed., 2016; Suffolk University Law School Research Paper No. 16-6. Available at SSRN: https://ssrn.com/abstract=2743390. (Last visited Oct. 12, 2018).

43 Vincent Johnson, Cybersecurity, Identity Theft, and the Limits of Tort Liability, Berkman Center for Internet and Society at Harvard University (2005), http://cyber.law.harvard.edu/cybersecurity/Cybersecurity,_Identity_-Theft,_and_the_Limits_of_Tort_Liability. (Last visited Oct. 2, 2018).

44 Hogan Lovells, ‘Unsurprisingly, U.S. Court Rules that Cloud Provider Must Produce Data Stored Abroad', Chronicle of Data Protection, Aug. 12, 2014.

45 National Institute of Standards and Technology, Information on Current and Future States of Cybersecurity in the Digital Economy, Chamber of Commerce Input to the Commission, Sept. 9, 2016.

46 National Institute of Standards and Technology, Information on Current and Future States of Cybersecurity in the Digital Economy, Chamber of Commerce Input to the Commission, Sept. 9, 2016.

47 Julie Sobowale, Law firms must manage cybersecurity risks, ABA Journal, March 2017, http://www.abajournal.com/magazine/article/managing_cybersecurity_risk. (Last visited Oct. 12, 2018).

48 Will Fitzgibbon, Emilia Diaz-Struck, Panama Papers have had historic global effects - and the impacts keep coming, ICIJ Investigations, Dec. 1, 2016, https://www.icij.org/investigations/panama-papers/20161201-global-impact/. (Last visited Oct. 12, 2018).

49 Thomson Reuters, Thomson Reuters report on Paradise papers, 2017.

50 Perkins Cole, Breach notification chart, https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart.html. (Last visited Oct. 12, 2018). Westlaw practical law breach notification statutes, Thomson Reuters 2017).

51 Integro, What law firms need to know about cybercrime and coverage, https://integrogroup.com/uploads/white_papers/Integro_Law_Cyber_Crime_White_Paper_1453_August_2017.pdf. (Last visited Oct. 12. 2018).

52 Julie Sobowale, Law firms must manage cybersecurity, http://www.abajournal.com/magazine/article/managing_cybersecurity_risk, ABA Journal, March 2017.

53 Thomson Reuters, Pillsbury, FireEye Align to Provide Cybersecurity Compliance Program- NOV 14, 2016- Risk, new regulations necessitate comprehensive cybersecurity solutions, https://www.thomsonreuters.com/en/press-releases/2016/november/thomson-reuters-pillsbury-fireeye-align-to-provide-cybersecurity-compliance-program.html

54 PWC, Middle East Information Security Survey 2016, https://www.pwc.com/m1/en/publications/middle-east-information-security-survey-2016.html. (Last visited Oct. 12. 2018).

55 Id.

56 Thomson Reuters and Deloittes Survey, Financial Crime in the Middle East and North Africa - 2017, https://mena.thomsonreuters.com/content/dam/openweb/documents/pdf/mena/report/mena-financial-crime-report-2017.PDF. (Last visited Oct. 12, 2018).

57 International Communication Union, ITU - Global Cyber Security Index, 2016 (https://www.itu.int/dms_pub/itu-d/opb/str/D-STR-GCI.01-2017-PDF-E.pdf). (Last visited Oct. 12, 2018).

58 UAE federal law, Federal Law No. 17 of 2002 (as amended by Federal Law No. 31 of 2006) regulating and Protecting the Industrial Property of Patents, Industrial Drawings and Prototypes (the Industrial Property Law); Federal Law No. 7 of 2002 in respect of Author Copyright and Parallel Rights (the Copyright Law); and Federal Law No. 37 of 1992 (as amended by Law No. 19 of 2000 and Law No. 8 of 2002) concerning Trade Marks (the Trade Marks Law).

59 Benjamin Hopps and Stuart Paterson, United Arab Emirates Cyber Security, “Criminal prosecutions are often not publicly reported in the UAE and examples of enforcement actions are rare. Figures released by Dubai police's cybercrimes department show that it received 1,549 reports in 2014, broken down as follows: 248 fraud cases, 163 information security cases, 389 extortion and libel cases, 235 website crimes and 514 miscellaneous cybercrimes.” Available online at: https://gettingthedealthrough.com/area/72/jurisdiction/33/cybersecurity-united-arab-emirates/

60 Noor Al-Fawzan and Omar Elsayed, Data Protection in the Kingdom of Saudi Arabia: A Primer. Latham and Watkins https://www.lw.com/presentations/Data-Protection-in-the-Kingdom-of-Saudi-Arabia. (Last visited Oct. 10, 2018).

61 US Government Accountability Office, CYBERSECURITY: Actions Needed to Strengthen U.S. Capabilities- GAO-17-440T: Published: Feb. 14, 2017. Publicly Released: Feb. 14, 2017. https://www.gao.gov/products/GAO-17-440T

62 TJ Smedinghoff, The new law of information security, https://www.cs.jhu.edu/~rubin/courses/sp07/Reading/-newlawis.pdf. (Last visited Oct. 10, 2018).

63 Reuters Business News, Target shares recover after reassurance on data breach impact (Feb. 26, 2014), https://www.reuters.com/article/us-target-results/target-shares-recover-after-reassurance-on-data-breach-impact-idUSBREA1P0WC20140226.

65 Richard D. Marks and Paul T. Smith, Analysis and Comments on HHS's Just-released HIPAA Security Rules, Bulletin of Law / Science & Technology, ABA Section of Science & Technology Law, No. 124 April 2003, at p. 2, available at http://www.abanet.org/scitech/DWTSecurityRules021703.pdf. (Last visited Oct. 10, 2018).

66 Cloud Standard Customer Counsel - Security for Cloud Computing Ten Steps to Ensure Success Version 2.0 http://www.cloud-council.org/deliverables/CSCC-Security-for-Cloud-Computing-10-Steps-to-Ensure-Success.pdf. (Last visited Oct. 10, 2018).

67 Thomson Reuters, Third party risk. https://risk.thomsonreuters.com/en/risk-solutions/third-party-risk-management.html. 2017. (Last visited Oct. 10, 2018).

68 National Conference State Legislators, USA states notification laws. http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx. (Last visited Oct. 10, 2018).

69 David Navetta, Kristopher Kleiner, and Erin Locker, Norton Rose Fulbright US LLP, with Practical Law Intellectual Property & Technology. Thomson Reuters—Practical Law—Practical law team—Cyber security—2016.