Comparing Management-Based Regulation and Prescriptive Legislation: How to Improve Information Security Through Regulation (a.k.a., “The Efficacy of Cybersecurity.

Slides:

Advertisements

Similar presentations

Property Inventory Valuation Replacement Cost Value The amount it would take to replace property with like property of the same quality and construction.

Advertisements

Chapter 19 Lesson 2 Budgeting Your money.

Debt is when you owe someone money. The someone can be a bank (like a house loanalso known as a mortgage, or a car loan), OR the someone can be a credit.

Chapter 23.1 Use your Money Wisely

Parachute Neighborhood Watch Presentation February 9, 2010.

Information Security Jim Cusson, CISSP. Largest Breaches 110, NorthgateArinso, Verity Trustees 6, Aurora St. Luke's Medical.

Privacy (or Data) Breaches - Examples South Carolina Department of Revenue Hackers got into the SCDOR’s computers, and stole information on up to 3.2 Million.

KDE Employee Training. What IS a Data Breach? Unauthorized release (loss or theft) of Sensitive or Confidential Data, such as PII, PHI, etc. On site or.

PRIORITIES. AARP Tax-Aide Priorities BudgetsTraining E-Filing Reimbursements Security Accuracy Developing Leaders CertificationDonations Recruitment.

Visa Confidential1 Card Regulation; Pricing and Security Paul Russinoff State Government Relations.

2012, Team-Tiger- Northwestern McCormick MSIT 2013 Confidential 1 ©2011, Cognizant Northwestern McCormick MSIT October 20 th, 2012 Information Security.

Lesson 8 Getting a Credit Card. Key Terms APR Credit Credit Card Creditor Debtor Finance Charge Interest Rate Introductory Rate Late Fees Minimum Payment.

Social Networking Services and User Data Protection

Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006 Sara Juster, JD Vice President/Corporate Compliance Officer Nebraska.

IT Technical Support Policies and Procedures South Nottingham College.

Dino Tsibouris (614) Information Security – What’s New In the Law?

Facts, Issues, and Considerations 7 May 2008 Steven Barnett Identity Theft.

Are Large Scale Data Breaches Inevitable? Douglas E. Salane Center for Cybercrime Studies John Jay College of Criminal Justice Cyber Infrastructure Protection.

Credit Cards An Introduction “Hi! Nice to meet you!”

Are You Totally Protected?. Who is USA Benefits Group? About the Company  USA Benefits Group is a nationwide network of health and life insurance professionals.

Your cybersecurity breach will happen! Here’s what to do to mitigate your risk Thursday, 25 September 2014.

Insurance Basics. Why Do You Need Insurance? Help you pay for things that could happen to you that you cannot afford Law says you need to pay to compensate.

Cyber crime on the rise. Recent cyber attacks How it happens? Distributed denial of service Whaling Rootkits Keyloggers Trojan horses Botnets Worms Viruses.

WHO’S IN YOUR “WALLET” WHO’S IN YOUR “WALLET” YOU BETTER “RECOGNIZE” YOU BETTER “RECOGNIZE” STEPPING $200 $200 $300 $400 $500 $400 $300 $200 $500 $400.

Advantages & Disadvantages of Credit Cards

Credit. What is credit? Borrowing $ to use today, with the promise to repay in the future.

Case Study: Department of Revenue Data Breach National Association of State Auditors, Comptrollers and Treasurers March 21, 2013.

Dan Johnson. What is a hashing function? Fingerprint for a given piece of data Typically generated by a mathematical algorithm Produces a fixed length.

Privacy and Security Laws for Health Care Organizations Presented by Robert J. Scott Scott & Scott, LLP

-Tyler. Social/Ethical Concern Security -Sony’s Playstation Network (PSN) hacked in April Hacker gained access to personal information -May have.

A PowerPoint Presentation by Helen Chelan Johnson.

Understand economic conditions

Identity Theft.

DEREGULATION AND PRIVATIZATION. The role of government is to make decisions about how to collect and spend tax dollars (or other sources of income that.

Data Security and Payment Card Acceptance Presented by: Brian Ridder Senior Vice President First National September 10, 2009.

Lecture 12 Page 1 CS 236, Spring 2008 Virtual Private Networks VPNs What if your company has more than one office? And they’re far apart? –Like on opposite.

ThankQ Solutions Pty Ltd Tech Forum 2013 PCI Compliance.

Staying ahead of the storm: know your role in information security before a crisis hits Jason Testart, IST Karen Jack, Secretariat.

Adam Shields Sarah Purdy. What is PayPal? PayPal is an online payment service that allows individuals and businesses to transfer funds electronically.

Lecture 17 Page 1 CS 236 Online Prolog to Lecture 17 CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.

Visibility. Intelligence. response Information Security: Risk Management or Business Enablement? Mike Childs Vice President Rook Security.

Insurance. Health Insurance Basic Physician for non-surgical care Surgical for surgeon’s fees Cosmetic not covered Specific procedures are a set price.

Computer Laws Data Protection Act 1998 Computer Misuse Act 1990.

Carroll County Advisement Program FINANCIAL LITERACY *IDENTITY THEFT *MONEY MANAGEMENT.

Protecting Yourself from Fraud including Identity Theft Advanced Level.

Safeguarding Sensitive Information. Agenda Overview Why are we here? Roles and responsibilities Information Security Guidelines Our Obligation Has This.

By: Ted Worthington.  About TJ Max  Discovery  How the break in occurred  The Payment Card Industry-Data Security Standard  Lawsuit and Investigation.

What lessons can we learn from other data breaches? Target Sentry Insurance Dynacare Laboratories 1 INTRODUCTION.

CREDIT: BUY NOW, PAY LATER. It’s important for all of us to establish good credit. 28% of students with a credit card don’t repay the entire balance off.

Mastering Money  Money is anything you exchange for goods or services.  Cash is the money made out of paper (dollar bills) and metal (coins).  Electronic.

Canada’s Breach Reporting Law What you need to know Timothy M. Banks, CIPP/C Dentons Canada LLP July 21, 2015.

Pioneers in secure data storage devices. Users have become more accustomed to using multiple devices, are increasingly mobile, and are now used to storing.

You’ve Been Hacked! What to do when your personal information has been compromised Paul T. Yoder, Information Systems Security Specialist.

Policy Development Milan Adams.

Wireless Network Security

MIS 5121: Real World Control Failure - TJX

Agenda Equifax data hack Best Buy stops selling Kaspersky

Preparing for College and Careers

PCI DSS Erin Carrick.

The new data protection rules

Data Breach Overview Mike Schenk, VP Research and Policy Analysis

Database Administrators

Protecting Yourself from Fraud including Identity Theft

Card Data Fraud.

Ransomware and Data breaches in public libraries

Security Hardening through Awareness August 2018

Are You Totally Protected?.

Anthem Data Breach Group 2: Jing Jiang, Dongjie Wang, Haitao Huang, Binju Gaire, Parneet Toor.

School of Medicine Orientation Information Security Training

Presentation transcript:

Comparing Management-Based Regulation and Prescriptive Legislation: How to Improve Information Security Through Regulation (a.k.a., “The Efficacy of Cybersecurity Regulation”) David Thaw University of Connecticut School of Law Yale Law School Information Society Project

Information Security Failures 04/17/2011 – Sony PlayStation Network compromised by attackers, 77,000,000 consumer records compromised –Sony compromised again… one week later! (24.6 million records) 01/29/2009 – Heartland Payment Systems payment card processing network compromise discovered, 130,000,000 consumer records compromised –Actual compromise occurred ~8 months earlier and went undetected! 01/17/2007 – TJX Companies reports information security failure that allowed attackers to compromise 94,000,000 million consumer records including many consumers’ payment card information –Banks wrote off tens of millions in fraudulent charges –Some consumers forced to obtain new driver’s licenses/ID #’s

SBN “Triggering” Data Identifier (usually name) Sensitive Personal Information Three Common Types of Sensitive Personal Information: Social Security Number Payment Card/Account Number* Gov’t-Issued ID Number* But: exception for “encrypted” data! Reportable Breach

CISO Quotes: Effects of SBNs SBNs drive encryption policies: –“... [SBNs] caused us to... in a very short period of time, encrypt 40,000 laptops...” (CISO of a large healthcare organization) –“... What we have done is all computers now have to be encrypted.” (CISO of a large telecommunications company)

CISO Quotes: Effects of SBNs SBNs drive encryption policies: –“So what’s happened since the Notification Laws have become sort of ubiquitous in the last three years [is] the security investment is moved, essentially to crypto. If it moves, encrypt it. It if stays there, encrypt it. There’s not much reflection on whether or not actually anyone ever uses that data. It’s still a breach.” (CISO of a large healthcare organization)

CISO Quotes: Effects of SBNs “And so what’s been really interesting about the Notification Laws is [they] have come in and [ ] essentially reversed the whole direction security was taking from when I started this job.” (CISO of a large healthcare organization)

CISO Quotes: Effects of SBNs “[B]asically [encryption] has distracted us from [] what I think is important thing... actually address[ing] things like Botnets and really significant network security vulnerabilities... [t]his whole crypto business [] has essentially moved resources from that area which we were kind of focusing on to this other area... every dollar that I spend on crypto is a dollar I don’t get to spend on something else” (CISO of a large health care organization)