protecting export-controlled data: how to effectively ... · effectively prepare for and respond to...
Post on 25-Jul-2018
217 Views
Preview:
TRANSCRIPT
Protecting Export-Controlled Data: How to Effectively Prepare for and Respond to Cybersecurity Incidents
18 February 2016
www.hoganlovells.com
Today’s Speakers
M. Peter Adler
H. Deen Kaplan
Partner, Washington, D.C.
Hogan Lovells
2
Ajay Kuntamukkala
Partner, Washington, D.C.
Hogan Lovells
Michael J. Scheimer
Associate, Washington, D.C.
Hogan Lovells
www.hoganlovells.com
Agenda
• Overview of the Cyber Threat Landscape
• The Cyber – Export Control Nexus
• Overview of the U.S. Policy and Legal Landscape
• Industry Best Practices for Cybersecurity Programs
• Responding to a Cyber Breach
• Presenter Biographies
3
www.hoganlovells.com
The Threat Landscape: Costs of Cyber Intrusions?
• Remediation and Reporting Obligations
• Substantial costs associated with cyber intrusions
– Theft of intellectual property and trade secrets
– Reputational damage
– Customer loss
– Costs of litigation and regulatory enforcement actions
• One calculation of the “average” cost of a cyber breach
involving individual information that is lost or stolen
– $217 per record
– $6.5 million overall
• Detection and escalation
• Notification
• Ex-post response and remediation
• Lost business
6
Source: 2015 Ponemon Institute Research Report
www.hoganlovells.com
The Threat Landscape: Costs of Cyber Intrusions?
• The Broader Picture:
– A 2014 CSIS Report estimated the likely annual cost to
the global economy from cybercrime and cyber espionage
is more than $400 billion
– General Alexander, then-head of the NSA, said in 2012
that the loss of industrial information and intellectual
property through cyber espionage the “greatest transfer of
wealth in history”
7
www.hoganlovells.com
The Cyber – Export Control Nexus
• Every company has an interest in protecting its and its
customers’ proprietary, confidential, or controlled data from
cyber attacks
• Cyber attacks on companies can lead to U.S. Government
scrutiny and penalties if their networks contain data subject
to U.S. export controls that was accessed by unauthorized
foreign persons
– Technical data subject to the International Traffic in Arms
Regulations (ITAR)
– Commercial/dual-use software or technology subject to
the Export Administration Regulations (EAR)
– Technology subject to Department of Energy (DOE)
export controls
9
www.hoganlovells.com
The Broader U.S. Policy Landscape
11
Cybercrime is becoming everything in crime … [B]ecause people have
connected their entire lives to the Internet, that's where those who want to
steal money or hurt kids or defraud go. So it's an epidemic for reasons that
make sense.
-- FBI Director James Comey
www.hoganlovells.com
Structure of U.S. Export Control Laws
12
State Department Directorate of Defense Trade Controls (DDTC)
International Traffic in Arms
Regulations (ITAR)
Military/intelligence
Commerce Department Bureau of Industry and
Security (BIS)
Export Administration
Regulations (EAR)
Commercial and “dual-use”
Energy Department
National Nuclear Security Administration
(NNSA)
Part 810 Regulations
Nuclear technology
www.hoganlovells.com
Export Control Requirements for Data Breaches?
• Export control laws do not expressly address data breaches
or provide specific guidance on how to protect data located
on IT systems
• ITAR
– The State Department takes a broad view of “exports”
• ITAR-controlled data released or stored on servers outside US or
releases of data to non-US persons are “exports” that require
authorization
– Release of ITAR-controlled data to countries subject to U.S.
arms embargoes (or nationals thereof) requires mandatory and
immediate disclosure to the State Department (ITAR
126.1(e)(2))
• Example: Data breaches involving the release of ITAR-controlled
data to China would require mandatory reporting to the State
Department
13
www.hoganlovells.com
Export Control Requirements for Data Breaches?
(cont’d)
• EAR
– Similarly broad view of “exports”
– Actual transfers versus constructive access
– Process for voluntary self-disclosures – no mandatory reporting
• DOE
– Very interested in data breaches involving controlled nuclear
technology
– Strongly encourages self-reporting of data breaches to DOE
– Nuclear power plants also may be subject to reporting
requirements to the Nuclear Regulatory Commission depending
on nature of data released
14
www.hoganlovells.com
The U.S. Policy Landscape –
Proposed Revisions to Definitions in EAR and ITAR
• As part of ECR, a proposed rule was issued on June 3, 2015 to
revise certain definitions in the EAR to enhance clarity and ensure
consistency with the ITAR; comparable changes to certain
definitions were concurrently proposed for the ITAR
• Proposed new Section 734.18 of the EAR and Section 120.52 of
the ITAR, each relating to activities that are not exports, reexports,
and transfers, include an important new provision pertaining to
encrypted technology and software
– Paragraph (a)(4) of the EAR and paragraph (a)(4)(ii) of the
ITAR each establish a specific carve-out from the definition of
“export” the transfer of technology and software that use “end-
to-end” encryption
• The intent of this requirement is that the relevant technology
or software is encrypted by the originator and remains
encrypted until it is decrypted by the intended recipient 15
www.hoganlovells.com
The U.S. Policy Landscape –
Restrictions for Items Related to “Intrusion Software”
• The Commerce Department published proposed
amendments to the EAR in May 2015 to implement changes
adopted by the Wassenaar Arrangement
• Proposed rules would create new restrictions and
requirements for the export of hardware, software, and
technology related to “intrusion software” (but not “intrusion
software” by itself)
– Proposed rules are deliberately broad in scope, capturing
a range of items that use intrusion software to identify
vulnerabilities of computers and network-capable devices
• Export license would be required for all destinations except
Canada
16
www.hoganlovells.com
The U.S. Policy Landscape –
Cybersecurity Requirements for DOD Contractors
• DOD issued an interim rule on August 26, 2015 to implement baseline
safeguarding using NIST 800-171 for “covered defense information” and
rapid reporting requirements of cybersecurity incidents for all contractors
and subcontractors (including commercial contractors)
– “Covered Defense Information” includes, among other categories, export controlled
information (which is defined broadly)
– Mandatory rapid reporting = within 72 hours
– Mandatory flow-down requirements for contractors and subcontractors
– Dec 30, 2015 revision allows contractors until Dec 2017 to fully implement 800-171
safeguarding standards (but contractor must tell DOD within 30 days of contract award
what 800-171 standards are not in place)
• DOD issued an interim rule on October 2, 2015 for contractors and
subcontractors participating in DOD’s Defense Industrial Base (DIB)
cybersecurity activities program, aligning cybersecurity reporting
requirements with those in the August 26 rule
– Mandatory rapid reporting = within 72 hours
– Broader applicability – applies to all forms of contracts or other agreements between
DOD and DIB companies
17
www.hoganlovells.com
The U.S. Policy Landscape –
DOD Cloud Computing Requirements
• DOD’s August 26, 2015 interim rule also includes
requirements related to cloud computing services:
– Requires providers to establish certain administrative,
technical and physical safeguards
– Data must be stored in the U.S..
– Contractors must represent to the U.S. Government if they
are using cloud services
• Mandatory reporting of cybersecurity incidents related to
cloud computing service
• Requirements flow-down; the DFARS clause must be
included in subcontracts potentially involving cloud services
18
www.hoganlovells.com
The U.S. Policy Landscape –
Controlled Unclassified Information Proposed Rule
• Under E.O. 13556, Controlled Unclassified Information, Nov 4, 2010, the National
Archives and Records Administration (NARA) leads the national CUI program.
• Program addresses government-wide issues (inconsistent markings, inadequate
safeguarding, needless restrictions) by standardizing safeguarding procedures
and by providing common definitions through the CUI Registry.
– Export controlled information is a category on the CUI Registry; currently uses
broad definition that matches DOD rule
• The CUI Program’s three part implementation plan:
– 1. Finalize the proposed CUI rule in 32 CFR § 2002
• Proposed rule issued May 2015; final rule expected early 2016
– 2. Finalize NIST 800-171
• Finalized June 2015; DOD’s August 2015 rule requires contractors to use
800-171
– 3. Release a single Federal Acquisition Regulation (FAR) rule on CUI
safeguarding.
• FAR clause will extend CUI cybersecurity safeguarding requirements
similar to DOD rule to non-DOD contractors
19
www.hoganlovells.com
CUI Safeguards for Breach Response
It is anticipated that the CUI Basic Safeguards, including breach response
will be guided by NIST SP 800-17
• NARA and NIST collaborated on the SP 800-171 and on the final CUI rule
20
CUI SECURITY REQUIREMENTS
3.6 INCIDENT RESPONSE
NIST SP 800-53 r.4
3.6.1 Establish an operational incident-
handling capability for organizational
information systems that includes adequate
preparation, detection, analysis, containment,
recovery,
• IR-2 Incident Response Training
• IR-4 Incident Handling
• IR-5 Incident Monitoring
• IR-6 Incident Reporting
• IR-7 Incident Response Assistance
3.6.2 Track, document, and report incidents to
appropriate organizational officials and/or
authorities
3.6.3 Test the organizational incident response
capability.
• IR- 3 Incident Reponses Testing and Coordination
with other plans
Note: Incident response policies and procedures (IR-1) and planning (IR-8) are expected to
be satisfied without NIST specifications.
www.hoganlovells.com
The U.S. Policy Landscape –
Authorization of Cybersecurity Sanctions
• President Obama issued E.O. 13694 on April 1, 2015
authorizing economic sanctions against the perpetrators of
“malicious cyber-enabled activities”
– This authority provides a broad mandate for the U.S.
Government to block the property and interests in property
in the U.S. of the perpetrators of significant cyber attacks
– Intended to deter future cyber-enabled attacks against
critical infrastructure and the private sector
– Issued without an initial set of designations and no
designations have been made to date
• E.O. 13687, issued on January 2, 2015, imposes economic
sanctions on certain North Korean persons in response to
cyber attacks against Sony Pictures
21
www.hoganlovells.com
What does Preparedness Mean for Your Company?
23
Assess Risk and Prepare
Develop Policies and Governance Mechanisms Set the
Tone from the
Top
Have the Right
People in Place
Conduct Periodic
Risk Assessments
Plan Response
Confirm Adequate
Safeguards Are in Place
Conduct Exercises to
Assess Preparedness
Evaluate Insurance Coverage
www.hoganlovells.com
Tailoring “Best Practice” Controls to Protect Export
Controlled Data
• Technical Controls
– Information Management
– Information Protection
– Information Access
– Monitoring and Review
• Legal, Regulatory and
Contractual Controls
– Internal Tracking
– Documentation
– CUI Rule/NIST SP 800-171
– FAR and DFARS
24
• Governance
– Data Oversight
– Enterprise Engagement
– Risk Management
Process
– Audit Process
• Business Controls
– Identity Management
– Access Control
– Personnel and Asset
Management
• Physical Controls
– Secure Areas
– Equipment Security
www.hoganlovells.com
Pathology of a Major Cyber Incident
26
Internal Incident Response & Investigation
Regulatory Inquiries and Investigations Related to Export Controlled Data
Shareholder Litigation
Vendors/Forensic Experts
Coordination with Law
Enforcement/FBI
Insurance Coverage Investigation
Notification
Media Inquiries, Public Relations,
and Customer Inquiries
Congressional Investigation and
Inquires
FTC Information Inquiry or Civil Investigative
Demand
Consumer Litigation State Attorneys
General Investigation
State Regulatory Investigations
International Regulatory Inquiries and Investigations
SEC Investigation and 10-K/10-Q
Statements Information Sharing
www.hoganlovells.com
Important Considerations for Export Controlled Data
• How will you know if your export controlled data has been
compromised?
– Has your technology been classified? What is controlled
and by which regime?
– Where is your controlled technology located?
• Does your Incident Response Plan incorporate export control
considerations?
– Is your Incident Response Team aware of requirements
relating to export controls?
– Have you involved the Legal/Trade Compliance team?
– Training for Incident Response Team on export controls?
27
www.hoganlovells.com
Important Considerations for Export Controlled Data
(cont’d)
• Do you have a plan for post-incident legal
coordination regarding regulatory requirements and
inquiries following a breach? – If you have ITAR-controlled data, do you have a process
for reporting breaches involving China or other arms-
embargoed countries?
– Do you have a process for assessing whether to self-
disclose other breaches involving export controlled data?
– If you are a government contractor or subcontractor, are
you prepared to meet DOD rapid reporting requirements?
Self-disclosure is a legal not technical process – need to
involve Legal/Trade Compliance
28
www.hoganlovells.com
Next Steps in Preparedness
• Internal Assessment
– Maturity of Cybersecurity Program and People
– Defined Responsibilities
– Assessment of Compliance Program for Export
Controlled Data
• Policies and Procedures
– Integrated and Reinforcing Approach between
IT/Cybersecurity Policies and Procedures and Export
Control-Related Policies and Procedures
• Testing of People, Processes, and Technical Controls
• Coordination with Appropriate Vendors/ Experts
29
Hogan Lovells
M. Peter Adler
Peter Adler has a passion for privacy and cybersecurity law. He has extensive experience
helping clients comply with state, federal and international laws, regulations, rules and standards
that are relevant to information security, privacy and data protection. He has pursued his passion
in a wide-range of market sectors, including financial services, healthcare, retail, higher
education, government contractors and international business. His experience includes:
• Worked directly with the Office of Personnel Management (OPM), and Senate and House Oversight Committees on
the recent OPM breaches, representing SRA;
• Worked as the Chief Privacy Officer for the largest health plan in the country, including managing compliance with
U.S. and international privacy laws, including HIPAA, international data transfers and financial services privacy and
security regulations;
• Performed as interim Chief Information Security Officer (CISO) for the University of Colorado;
• Led a large and successful national HIPAA compliance team that provided services for over 250 health care entities
including the University of Texas Medical Centers, American Medical Response and Ascension Health;
• Performed privacy and security due diligence in business transactions, contracts, mergers and acquisitions and
initial public offerings;
• Provided security breach advice and services to a large national bank and advised other financial services entities
on GLBA, FACTA, and FCRA, and Federal Trade Commission (FTC) enforcement activities;
• Worked with retail establishments on the Payment Card Industry Data Security Standards (PCI-DSS) and FTC
regulations;
• Provided privacy and information security assessment and compliance services for the Commonwealth of
Massachusetts, the City of Chicago and Sun Microsystems (now Oracle); and
• Served as incident response counsel for entities insured by a large cyber insurance carrier and separately advised
companies on cyber insurance coverages.
Peter is General Counsel and a member of the Board of Directors of Data Guardian Pros. Prior
to that Peter was the Vice President, Deputy General Counsel and Chief Privacy Officer for SRA
International, Inc. (SRA). SRA was a mid-sized government contractor serving defense,
intelligence, homeland security and civilian agencies.
He attended Georgetown University Law Center, where in 1993 he received his Master of Laws
(LL.M.), International Law, with distinction. He received his Juris Doctor (J.D.) from William
Mitchell College of Law and his Bachelor of Science (B.S.) in communications from Ohio
University. He has been certified as an information privacy professional (CIPP) since 2002 and
he passed the certified information systems security professional (CISSP) examination in 2001.
32
M. Peter Adler mpeter.adler@gmail.com
Hogan Lovells 33
H. Deen Kaplan, Partner, Hogan Lovells
Washington, D.C.
Deen Kaplan, a director of the Hogan Lovells international trade and investment group,
represents businesses and governments in a wide range of international trade and investment
disputes, cybersecurity and cyber policy-related matters, customs/security related issues, and
trade policy matters. Deen acts on behalf of clients in several fora, including dispute settlement
proceedings before the World Trade Organization (WTO), the London Court of International
Arbitration (LCIA), U.S. and Chinese government-led investigations and appeals, and trade-
related bilateral and multilateral negotiations. Deen's trade-focused areas of concentration
include international arbitration, security and trade, trade in technology products, government-
related disputes, subsidy law policy, WTO matters, and countervailing and antidumping duty
litigation.
In his cybersecurity practice, Deen has assisted clients in effectively addressing a range of
international incidents and security-related matters. These include managing overall incident
responses, threat detection and mitigation strategies, cyber-risk legal planning, determining and
managing notification obligations, and long-term secure data strategies. Deen has managed
incident responses involving multiple countries, including legal and technical coordination across
several continents. Deen has worked closely with corporate general counsel, dedicated internal
IT staff, outside security consultants and law enforcement authorities in North America, Europe,
and Asia.
Deen serves as co-chair of Hogan Lovells Technology Committee and a member of the global
Core Technology Group that helps manage the firm’s technology policies and resources across
more than 45 offices. Deen also brings to bear nearly a decade's worth of practical experience in
the business and nonprofit sectors, including service as an executive in computer hardware,
software development, and consulting businesses.
Deen is the associate editor of the Kluwer Law International ITA Monthly Report, an international
arbitration law journal published in association with the Institute for Transnational Arbitration. He
also lectures regularly on international trade and investment issues and teaches international
trade and dispute law at the University of Maryland School of Law as a member of the adjunct
faculty. The 2007 edition of Chambers USA lauds Deen as "unbelievably smart," noting his role in
one of the world's largest trade disputes and his capacity to "blow clients away" with his work.
H. Deen Kaplan Partner, Washington, D.C.
T +1 202 637 5799
deen.kaplan@hoganlovells.com
PRACTICES
International Trade and Investment
Privacy and Cybersecurity
International Arbitration
INDUSTRY SECTORS
Technology
Aerospace, Defense, and Government Services
Automotive
Aviation
EDUCATION
J.D., magna cum laude, Order of the Coif,
Georgetown University Law Center, 1997
M.Div., cum laude, Gordon Conwell Seminary,
1986
B.A., magna cum laude, Duke University, 1982
Hogan Lovells 34
Ajay Kuntamukkala, Partner, Hogan Lovells
Washington, D.C.
Ajay Kuntamukkala assists clients with a range of regulatory and policy matters involving
international trade and national security, including export controls, economic sanctions, defense
trade, international trade policy, and antibribery matters. Ajay's practice ranges from counseling
clients on complying with the relevant trade and sanctions laws and regulations, designing and
implementing compliance programs, obtaining government licenses and authorizations, and
assisting clients with government investigations and enforcement proceedings related to trade
and sanctions matters. In this regard, he represents clients before the U.S. Departments of State,
Treasury, Defense, Commerce, Energy, and other agencies. Ajay also counsels clients on
international trade policy and legislative matters and on compliance with the Foreign Corrupt
Practices Act (FCPA).
In addition, Ajay is a member of Hogan Lovells' India working group and helps to coordinate the
firm's India-related activities.
Ajay rejoined the firm after serving as Senior Advisor to the Undersecretary of Commerce for
Industry and Security from 2003 to 2005. At the U.S. Department of Commerce, he counseled
the Undersecretary on a range of issues at the intersection of international trade and national
security, including U.S. export control policy and high-technology trade. He also assisted the
Undersecretary with the agency's international initiatives, including coordinating U.S. government
and industry efforts under the U.S.-India High Technology Cooperation Group to expand high-
technology trade with India. This included assisting with U.S. and Indian government negotiations
concerning the End-Use Verification Agreement and the Next Steps in Strategic Partnership
initiative, which involved policy changes and other measures in the areas of civil space, civil
nuclear, defense, and high technology. In addition, he served as the Undersecretary's appeals
coordinator, presiding over informal hearings and advising the Undersecretary on the disposition
of administrative appeals and enforcement proceedings.
Prior to his service at the Department of Commerce, Ajay was an associate at Hogan Lovells
from 2000 to 2003.
Ajay is active in local community affairs. He was appointed by the Governor of Maryland to serve
on the Governor's Commission on Asian Pacific American Affairs. He has also served as the
President of the South Asian Bar Association of Washington, D.C.
Ajay Kuntamukkala Partner, Washington, D.C.
T +1 202 637 5552
ajay.kuntamukkala@hoganlovells.com
PRACTICES
International Trade and Investment
India
Energy
Education
INDUSTRY SECTORS
Technology
Aerospace, Defense, and Government Services
Education
Energy and Natural Resources
Life Sciences
Technology, Media and Telecoms
EDUCATION
J.D., Georgetown University Law Center, 2000
M.P.P., Harvard University, 1998
B.A., summa cum laude, Boston College, 1995
Hogan Lovells 35
Michael J. Scheimer, Associate, Hogan Lovells
Washington, D.C.
Michael Scheimer is an associate in our Washington, D.C. office, advising clients on government
contract matters with a particular focus on defense, information technology, and intelligence
contracts.
Michael has extensive experience with government contract cybersecurity issues, including
federal cloud computing programs, contractor data breach reporting, information sharing between
government and industry, contractor handling of classified and controlled unclassified
information, and government information system security accreditation processes. He also has
experience in international contracting issues, including Foreign Military Sales, contractors
operating in foreign countries, and multinational defense procurement programs. He has worked
on government-contract software rights and industrial security issues in numerous M&A
transactions.
He has also advised government contractor clients on export control issues, technology transfers,
government sanctions, and required contractor certifications and disclosures under domestic
sourcing laws including the Trade Agreements Act, Buy American Act, and the Berry
Amendment.
Prior to joining Hogan Lovells, Michael worked for a major defense contractor in a number of
positions. His most recent assignment was as a legal analyst in the Department of Defense
(DoD) Office of the General Counsel, International Affairs, where he reviewed DoD international
armaments cooperation efforts in R&D activities and international acquisition programs. Prior to
that, he was a national security policy analyst in the Office of the Under Secretary of Defense for
Acquisition, Technology, and Logistics, where he reviewed strategic systems acquisitions
including ballistic and cruise missiles, space and cyberspace systems, and missile defense
programs. He assisted in the New START arms control agreement negotiations and other arms
control, non-proliferation, and cooperative threat reduction programs. Prior to that, Michael was
an acquisition policy analyst in the Office of the Assistant Secretary of the Army for Acquisition,
Logistics, and Technology, where he reviewed UAS programs and counter-IED systems.
While in law school, Michael was the Symposium Editor for the American University International
Law Review and a Board Member of the National Security and Law Society.
Michael J. Scheimer Associate, Washington, D.C.
T +1 202 637 6584
michael.scheimer@hoganlovells.com
PRACTICES
Government Regulatory
Government Contracts
INDUSTRY SECTORS
Aerospace, Defense, and Government Services
Technology, Media and Telecoms
Technology
EDUCATION
M.A., American University, School of International
Service, 2012
J.D., American University, 2010
B.A., College of William & Mary, 2004
www.hoganlovells.com
"Hogan Lovells" or the "firm" is an international legal practice that includes Hogan Lovells International LLP, Hogan Lovells US LLP and their affiliated businesses.
The word "partner" is used to describe a partner or member of Hogan Lovells International LLP, Hogan Lovells US LLP or any of their affiliated entities or any employee or consultant with equivalent standing. Certain individuals,
who are designated as partners, but who are not members of Hogan Lovells International LLP, do not hold qualifications equivalent to members.
For more information about Hogan Lovells, the partners and their qualifications, see www.hoganlovells.com.
Where case studies are included, results achieved do not guarantee similar outcomes for other clients. Attorney Advertising.
© Hogan Lovells 2016. All rights reserved.
*Associated offices
Hogan Lovells has offices in:
Alicante
Amsterdam
Baltimore
Beijing
Brussels
Budapest*
Caracas
Colorado Springs
Denver
Dubai
Dusseldorf
Frankfurt
Hamburg
Hanoi
Ho Chi Minh City
Hong Kong
Houston
Jeddah*
Johannesburg
London
Los Angeles
Luxembourg
Madrid
Mexico City
Miami
Milan
Minneapolis
Monterrey
Moscow
Munich
New York
Northern Virginia
Paris
Perth
Philadelphia
Rio de Janeiro
Riyadh*
Rome
San Francisco
São Paulo
Shanghai
Silicon Valley
Singapore
Sydney
Tokyo
Ulaanbaatar
Warsaw
Washington DC
Zagreb*
top related