Post on 18-Jan-2016
transcript
Presentation for
Data Protection 2003South Eastern Europe
Conference on Regional SecurityThrough Data Protection
December 1-2, 2003
Cybercrime, Cyber Security, & Privacy:
The 3-Legged Stool
JODY R. WESTBY, Esq. The Work-IT Group
December 1-2, 2003
The International Legal Landscape
Cybercrime, Privacy & Cyber Security Are Global Issues; 200 Countries Connected to Internet
Cybercrime, Privacy & Security of Information Infrastructure Important to National & Economic Security Interests
Industrialized Countries Addressing; Developing Countries Lagging
International Legal Framework Highly Inconsistent
© JODY R. WESTBY, Esq. The Work-IT Group December 1-2, 2003
Nexus Between Cyber Security, Privacy, & Cybercrime
Major Component of Cyber Security is Ability to Protect Against Unauthorized Access & Disclosure; Enterprise Approach Needed; Must be Able to Deter, Detect, Obtain Evidence
Privacy & Security BreachesAre Cybercrimes; Laws Deter, Enable Prosecution
Privacy Dependent upon Security;Driven by Laws, Culture
CybercrimePrivacy
Security
© JODY R. WESTBY, Esq. The Work-IT Group December 1-2, 2003
American Bar Association Privacy & Computer Crime Committee
Section of Science & Technology Law 3 Publications:International Guide to Combating CybercrimeAvailable now
International Corporate Privacy HandbookTo be published early 2004
International Strategy for Cyberspace SecurityTo be published early 2004
© JODY R. WESTBY, Esq. The Work-IT Group December 1-2, 2003
Approach to Publications
Written with public/private participation
Involvement of lawyers, industry representatives, government personnel, NGOs, academia, international participants
Working Groups
Plenary review of all text
Heavily footnoted, live links, readable citations
© JODY R. WESTBY, Esq. The Work-IT Group December 1-2, 2003
Privacy/
Data Protection
© JODY R. WESTBY, Esq. The Work-IT Group December 1-2, 2003
Data Held by Both Public & Private Entities
Perception & Assumption of Privacy v. Reality
Differing Legal Protections
No Global Uniform Approach
Data Protection in the Electronic Age
© JODY R. WESTBY, Esq. The Work-IT Group December 1-2, 2003
Technology Has Removed Cloak of Privacy
Credit card records
Computers in automobiles (Event Data Recorders)
GPS system data
Telephone records and utility bills
ISP traffic data
Web site cookies
Surveillance cameras
Data mining software
There are few corners of life without a digital fingerprint
© JODY R. WESTBY, Esq. The Work-IT Group December 1-2, 2003
Data Protection Against What?
Theft of Data
Unauthorized Disclosure of Data
Inappropriate, Illegal Use of Data
Fraud
Corruption or Sabotage of Data© JODY R. WESTBY, Esq. The Work-IT Group December 1-2, 2003
Avenues of Protection
Constitutions
Statute or Regulation
Court or Administrative Decisions (Common Law)
Confidential & Proprietary Information
Classic Intellectual Property & Trade Secret
Contract & Non-Disclosure Agreement
© JODY R. WESTBY, Esq. The Work-IT Group December 1-2, 2003
Other Legal Considerations
Tracking and Tracing
Common Law Rights
Monitoring in the Workplace
Disclosure of Personal Information, Tort Actions
Freedom of Information Act, Information Sharing
Computer Crime Laws - Prosecutorial Thresholds, Evidentiary Requirements
Jurisdictional Issues
© JODY R. WESTBY, Esq. The Work-IT Group December 1-2, 2003
Enforcement: U.S. Model LinksPrivacy & Security
Federal Trade Commission Rulings Require 4-Part Program:
1. Designating Appropriate Personnel to Oversee Privacy/Security Program
2. Identifying Reasonably Foreseeable Internal & External Risks to Security, Confidentiality, & Integrity of Personal Information
3. Conducting an Annual Written Review by Qualified Persons
4. Adjusting Program to Fit Findings From Reviews, Monitoring, Operational Changes
© JODY R. WESTBY, Esq. The Work-IT Group December 1-2, 2003
A Global Approach is Needed
U.S. Sectoral Approach v. Universally Applicable for Collection, Use, Dissemination of Personal Information
Regulatory Enforcement v. Privacy Commissioner International Legal Framework Varied EU Data Protection Directive Has Had Greatest Impact Interconnected Network Demands International Approach:
(1) national and international initiatives
(2) consistent global framework
(3) accepted best practices and resources
(4) implementation of effective privacy & security programs
(5) technological considerations.
© JODY R. WESTBY, Esq. The Work-IT Group December 1-2, 2003
Best Resource
American Bar Association’s International Corporate Privacy Handbook
To be published early 2004
Complimentary Copies to Developing CountriesEmail: westby@work-itgroup.com or
westby@mindspring.com © JODY R. WESTBY, Esq. The Work-IT Group December 1-2, 2003
Cyber Security
© JODY R. WESTBY, Esq. The Work-IT Group December 1-2, 2003
A Strategy for Cyberspace Security
“An international strategy for cyberspace security is only possible through the evolution of consistent practices, international cooperation, and the involvement of all users—public and private, large and small. Each user must accept the responsibilities for cyber security attendant to their system.”
International Strategy for Cyberspace Security
© JODY R. WESTBY, Esq. The Work-IT Group December 1-2, 2003
A Strategy for Cyberspace Security
Categories of infrastructure to be protected
Key legal parameters and international initiatives
Information on best resources and practices
Guidance on the development of a complete security program
Implementation and technological considerations
© JODY R. WESTBY, Esq. The Work-IT Group December 1-2, 2003
Enterprise Security Program:Plans, Policies & Procedures
Security Plan: Overall Strategic Document that Serves as the “Business Plan” for Securing an Organization’s Information, Systems, and Networks
Security Policies: Components of the Security Plan that Define how the Organization’s Data, Applications, and Network are to be Secured. Policies are High-Level Statements that are Relatively Static and Empower and Enforce Security Procedures.
Security Procedures: Move the Policies into Action Through the Organizations People and Processes.
© JODY R. WESTBY, Esq. The Work-IT Group December 1-2, 2003
Development of a Security Plan
Governance Structure Senior Management & Boards of DirectorsCross-Organizational Security TeamPersonnelChange Management
Classification DataApplicationsNetwork & Systems
Legal Considerations & RisksCompliance RequirementsJurisdictional DifferencesContracts, NDAsConfidential, Proprietary Information & Due Diligence
Main Elements
© JODY R. WESTBY, Esq. The Work-IT Group December 1-2, 2003
American Bar Association’s
International Strategy for Cyberspace Security
To be published early 2004
Complimentary Copies to Developing CountriesEmail: westby@work-itgroup.com or
westby@mindspring.com
Best Resource
© JODY R. WESTBY, Esq. The Work-IT Group December 1-2, 2003
Cybercrime
© JODY R. WESTBY, Esq. The Work-IT Group December 1-2, 2003
Cybercrime Laws Vary in Form and Penalties/Punishment
Industrialized Nations’ Laws Protect Computer & Communication Systems and Data Transiting & Residing In These Systems
Cybercrime Laws Generally Apply To:
Use of computers & Internet for illegal purposes (viruses, hacking, unauthorized acts)
Crimes against communication systems Crimes facilitated by the use of a computer Wiretap, pen register, and trap and trace laws to
protect privacy and facilitate investigations
© JODY R. WESTBY, Esq. The Work-IT Group December 1-2, 2003
Combating Cybercrime Is Multifaceted
Requires Effective Cybercrime Laws
Has Jurisdictional Considerations
Requires International Cooperation in Investigations and Prosecution
Search & Seizure of Electronic Evidence Requires Expertise and Cooperation
Public and Private Sector Cooperation Important© JODY R. WESTBY, Esq. The Work-IT Group December 1-2, 2003
Cybercrime Laws Important for Developing Countries
Confidentiality, Integrity, & Availability of Data & Networks Central to Attracting FDI and ICT Operations
Protect Integrity of Government & Reputation of Country
Keep Country from Becoming Haven for Bad Actors, Repositories of Data
Instill Market Confidence & Certainty Regarding Business Operations
Provide Protection for Protected Information
Protect Consumers & Assist Law Enforcement, Intelligence Gathering
Deter Corruption
Increase National Security & Reduce Vulnerabilities
Provide a Means for Prosecution and Civil Action for Cybercrimes
Increase the Likelihood Electronic Evidence Will be Available© JODY R. WESTBY, Esq. The Work-IT Group December 1-2, 2003
Cybercrime Laws Protect Citizens
Help Protect Freedom of Expression, Human Rights, & Other International Rights
Enhance Statutory & Constitutional Rights (rights to privacy, protections on search/seizure & self-incrimination)
Help Ensure Citizen Use of ICTs, Access/Exchange Information
Strengthen Consumer Confidence Against Fraud
© JODY R. WESTBY, Esq. The Work-IT Group December 1-2, 2003
Consistent International Legal Framework is Emerging
U.S., Europe, G8, Council of Europe are Global Leaders
CoE Convention on Cybercrime
EU Ministers of Justice adopted the Proposal for a Council Framework Decision on attacks against information systems on March 4, 2003.
G8 Ten Principles to Combat High-Tech Crime Action Plan to Combat High-Tech Crime 24/7 Point of Contact Network (30 countries) Okinawa Charter on Global Information Society
© JODY R. WESTBY, Esq. The Work-IT Group December 1-2, 2003
Jurisdictional Issues Possible for Cyber Criminal to be Physically Located in One Country,
Weave an Attack Through Multiple Countries & Computers, and Store Evidence on Servers in yet Another Country
Victims May be All Over Globe
Internet Borderless but Law Enforcement Must Stop at Borders
Substantive & Procedural Laws of Countries May Conflict
Letters Rogatory & MLATs
Dual Criminality Requirements Very Problematic
Needs to be Way to Secure Extradition; Extradition Treaties One Method
© JODY R. WESTBY, Esq. The Work-IT Group December 1-2, 2003
Global Needs
Model Cybercrime Laws
Increased Participation by Developing Countries
Increased Donor Assistance in Cybercrime Laws
Training Programs for Law Enforcement, Prosecutors
International Initiative to Promote Cooperation
Multinational Initiatives to Address Jurisdictional Issues, Cooperation of Law Enforcement, Search & Seizure of Electronic Evidence
Improved Tracking & Tracing Capabilities
Improved Communications & Shared Initiatives Between Policymakers, Technical Bodies, Private Stakeholders, Law Enforcement
© JODY R. WESTBY, Esq. The Work-IT Group December 1-2, 2003
Best Resource
American Bar Association’s International Guide to Combating Cybercrime
http://www.abanet.org/abapubs/books/cybercrime/
Complimentary Copies to Developing CountriesEmail: westby@work-itgroup.com or
westby@mindspring.com
© JODY R. WESTBY, Esq. The Work-IT Group December 1-2, 2003
American Bar Association Privacy & Computer Crime Committee
Section of Science & Technology Law 3 Publications:International Guide to Combating CybercrimeAvailable now
International Corporate Privacy HandbookTo be published early 2004
International Strategy for Cyberspace SecurityTo be published early 2004
© JODY R. WESTBY, Esq. The Work-IT Group December 1-2, 2003
ABA Privacy & Computer Crime Committee3 Guides “Connect the Dots”
Understand Nexus Between Privacy, Security & Cybercrime
Understand Developing Global Legal Framework
Identify Best Practices, Standards, Resources Available
Understand How to Implement Complete Privacy & Security Program (protect, secure, enforce)
Understand Science & Technological Considerations
© JODY R. WESTBY, Esq. The Work-IT Group December 1-2, 2003
The Work-IT Group
THANK YOU!