Cyberliability

Introduction and Overview

Overview– History– The Problem: Escalating Risks from Internet

Connectivity– Cyberliability

• Discrimination• Harassment • Information Leaks• Offensive Content• Defamation and Libel• Spam

Overview

– Monitoring Internet Usage: Employer’s Rights and Responsibilities

– Internet Usage Policy Quiz

– Policies, Management Support

– E3 + E3

A quick update…

LANLAN

CustomersCustomers

IntranetIntranet

WANWAN

InternetInternet

BranchBranchOfficeOffice

SuppliersSuppliers

TelecommutersTelecommuters

The Internet is Changing Today’s Business Model

No More Business as Usual…

New Business Model

It is Not a Luxury, it’s a Competitive RealityIt is Not a Luxury, it’s a Competitive Reality

New Rules for a New Type of Business. . . Instant access to information Speed of execution is critical 24 hours per day (7X24) Global competition & access Provide information without barriers

End-to-end security

LANLAN

IntranetIntranet

WANWAN

InternetInternet

BranchBranchOfficeOffice

SuppliersSuppliers

TelecommutersTelecommutersCustomersCustomers

The Internet is Changing Today’s Business Model

There is one enterprise and it’s global.There is one network and it’s the Internet.

There is one enterprise and it’s global.There is one network and it’s the Internet.

In the near future…

By the year 2002, more than 88 million users in the United States will be connected to the Internet at work, using it as a tool for e-commerce, marketing, supply chain management, remote site connectivity and customer support. (Source: Estats, 1999

Once connected, these users will have the ability to:– Disseminate product and company

information at a faster rate– Communicate instantly across geographic

boundaries

Once connected, these users will have the ability to: (cont.)

– Lower the costs of providing information and services

– Share information with partners and vendors

– Leverage the power of e-commerce and multimedia applications

You’re not paranoid, they are out to get you…

Who are We Protecting Ourselves From?

Hackers/Crackers/Phreakers Interior or Exterior attack Corporate Raiders Competitive Intelligence gathers Legitimate or Illegitimate inquiries Contractors Hacktivist Information Warfare

More risk…

Sources of Internet & Intranet Risk:

Web surfing Email Downloads Spam Newsgroups

Cyberliability

Cyberliability

Cyberliability:

“legal proceedings and related costs due to unmanaged Internet & intranet use, including e-mail, web surfing, ftp, newsgroups and spam.”

For Example…

Cyberliabilty:– Legal liability: case preparation

fees– Legal liability: settlement or

damages– Damaged image or brand– Lower shareholder value

Other Risk– Decreased employee productivity– Productivity slowdown

Remember we are all connected…

Of all the Internet risks, cyberliability exposes organizations to new level of cyber-danger.

e-documents are as binding as those written on company letterhead.

There is a trail of “e-evidence”

Bottom Line…

E-mail or web surfing that contain offensive or company confidential information can quickly result in:– Legal fees (including costs to prepare,

litigate and settle cases)– Depressed stock price– Negative effect on brand, reputation and

organization confidence

Internet & Intranet Environment Combine the casual atmosphere of Internet

communications with this substantial electronic paper trail, and it’s easy to see why the use of “e-evidence” has become the new evidence within the following categories of litigation:– Discrimination– Harassment– Obscenity and pornography– Defamation and libel– Information leaks– Spam

Cyberliabilty Risks

Cyberliability Risk

– Discrimination– Harassment– Information Leaks– Offensive Content– Defamation and Libel– Spam

A complete listing of cyberliability cases and press coverage could fill several volumes.

Lets chat about a few recent examples

Discrimination

Discrimination A Federal court in New York has allowed a class

action discrimination suit based on racist e-mails. The defendant is a large Wall Street brokerage firm and the plaintiffs are seeking $60 million in damages. (Owens and Hutton v. Morgan Stanley & Co., Inc., Case No 96 Civ 9747)

Female warehouse employees alleged that a hostile work environment was created in part by inappropriate e-mail. Plaintiffs ask for $60 million in damages; case settles out of court.

(Harley v. McCoach, 928 F. Supp. 533, E.D. Pa. 1996)

Harassment

Harassment International Microcomputer Software pays a former

employee $105,000 after she received sexually harassing messages on the firm’s electronic bulletin board, even though the company reported the incident to authorities and launched an internal investigation. (Staff Writer, CNET News.com, April 14, 1999)

Chevron settles sexual harassment lawsuit for $2.2 million over e-mail postings such as: “25 reasons why beer is better than women.”

(Jerry Adler, Newsweek, “When E-mail Bites Back,” November 23, 1998)

Information Leaks

Information Leaks The Justice Department’s anti-trust lawsuit against

Microsoft Inc. is based in large part on internal e-mail messages about efforts to insert a bug into Microsoft products to disable competitor’s products. (Wall Street Journal, John R. Wilke, August 27, 1998)

The defense contractor Raytheon sued 21 “John Doe” employees for posting company confidential information on the Internet. Two workers have since been identified and have elected to resign. (Staff Writer, CNET News.com, April 6, 1999, 1:30 p.m. PT)

Information Leaks

The restaurant chain Shoney’s is demanding that Yahoo reveal the identity of 100 people who posted confidential information concerning restaurant closings and an alleged pending bankruptcy filing on message boards. (Staff Writer, CNET News.com, April 12, 1999, 5:00 a.m. PT)

Offensive Content

Offensive Content The New York Times dismissed 23 employees at an

administrative center for violating the company’s e-mail policy regarding “offensive or disruptive messages, including photographs, graphics and audio materials.” (Staff writer, NYTimes, December 1, 1999)

The Xerox Corp. fired approximately 40 people for viewing porno-graphic sites at work, most managers, directors, and exec-officers (Richard Mullins, Rochester Democrat and Chronicle, October 7, 1999)

Offensive Content

At least six employees of the US Navy Naval Supply Systems Command (NAVSUP) have been, or are expected to be suspended for circulating “inappropriate, adult humor material” in e-mails. Another 500 were reported disciplined. (Staff writer, The Sentinel, December 4, 1999)

Defamation and Libel

Defamation and Libel

Wade Cook Financial sues members of a bulletin board for libelous statements about the company. (Liz Enbysk, ZDNET Anchordesk, March 10, 1999)

An insurance company is sued for circulating an e-mail that accused an employee of using her corporate credit card to defraud the company. (Meloff v. New York Life Insurance Co., 51 F.3d 372, 2nd Cir. 1992)

Spam

Spam

GTE blamed spam for the shutdown of one of its mail servers. Several individuals also complained over the year that they were personally shut down after spammers used the individual’s e-mail addresses as forged return addresses. (John C. Dvorak, PC Magazine, March 24, 1998)

Monitoring Internet Usage: Employer Rights and Responsibilities

Monitoring Internet Usage: Employer Rights and Responsibilities

Employer’s Right to Monitor– Most experts agree that an employer has

both the right and the responsibility to manage employee Internet use, but…

– There are no laws on the books that can be interpreted as prohibiting an employer from watching what its employees do on the Internet.

EPCA

The Electronic Communications Privacy Act (ECPA) generally prevents employers from monitoring personal communications, such as private phone calls, unless there is reason to believe that a crime has occurred or certain other exceptions. However, the ECPA does support an employer’s right to monitor stored electronic communications, such as voicemail and e-mail messages in order to protect its business, rights or property.

What can and cannot be done… What’s an employer to

do? Where do we start? What are our rights as

employers? What does the law

say? Can I really be

charged with any of this?

Policies/Procedures/Practices

Written Policy– There is no legislation that requires employers

to require a written policy before monitoring e-mail and web usage. However, having each employee read and sign your Internet Usage Policy is an extra step that the courts have found to reinforce the employer’s rights:

• After being terminated for inappropriate e-mails, two employees later filed a lawsuit for violation of privacy, which was then dismissed by the California Court of Appeals.

Written Policy (cont.)• The court concluded that the employees have

no reasonable expectation of privacy in their e-mail messages. The employees had acknowledged and agreed to the employer’s policies that stated that the use of company computers was for business purposes only. (Bourke v. Nissan Motor Corp., No YC-003979, Cal. Ct. App., June 1993)

S.A.T.E.

S.A.T.E.

Security Awareness, Training, and Education– Learning Continuum

• Awareness = what

• Training = how

• Education = why

– Continuous– Upgrade & Update– Test and Measure

Management Support

Management Support

Ask for the policies and read them! Talk & Listen to your InfoSec Officers! Participate in meetings/discussions. Write memos on InfoSec matters. Test & Measure all employees. Financially support the InfoSec efforts… SPA-Security Posture Assessment (see

me…)

Oh, think about this…

Things that make you go hmmm… While you were here listening to me, one of

your employees may be sending an email that could eventually cost your company/organization several millions dollars.

Another may be surfing the Web for personal information, or exploring the latest offerings in cyberpornraphy.

Still others are spending valuable time wading through – or following up on – volumes of junk email.

Things that make you go hmmm… And while you’re wondering is all of this

is going on, who is protecting you corporations/organizations secrets (sensitive material)? In the past year alone, according to the International Computer Security Association (ICSA), employee security breaches increased by 35% and the leak of proprietary information increased by 58%.

E-Commerce, E-Business, E-Mail, EEEEEEEEE…

Doesn’t sound possible? Think again. The “E” in email originally stood for “electronic.” Now it could mean “expensive.”

Does your Internet Usage Policy give specific guidelines for the following corporate communications:

Web surfing, E-mail, FTP, Newsgroups, Chat rooms, Spam? Do you periodically generate usage reports to get feedback on

compliance?

Weekly, Monthly, Bimonthly, Not at all Have you posted your policy and given each employee a copy?

Yes or No Have you vigorously enforced and promoted your policy?

Yes or No Have you been consistent in your treatment of policy offenders?

Yes or No

Have you periodically updated your policy to reflect current technology and business trends?

Annually, Semi-annually, Not at all

 

If you answered “no” to any of the questions above, your policy is in need of an update.

And Finally...

E3 + E3

E3 + E3

Educate Enlighten Empower

Establish a good policy & program

Educate based on the policy

Enforce the policies

Q&A

USC - Center for Information Assurance Studies The security of networked systems of

computers is essential for information security. USC – Center for Information Assurance Studies is the home to what many security professionals in the computer and network security community consider the “Top Gun” institution for IA. Combining research and studies in Information Assurance (IA) and Information Security (InfoSec) since its inception. The USC - Center for Information Assurance Studies encourages an open-environment in which students, faculty, staff, and other agencies work together to understand the information assurance requirements of a university setting as well as national infrastructure protection. Addressing the challenges presented by those requirements through education and research