Yes. You’re in the right room.

Hi!

I’m David(Hi David!)

I’m a lawyer.

I’m a lawyer.

Today we’re going to talk

about:

• Major laws• Legal guide• Contract issues• Toolkit

Roadmap

Major laws

• Computer Fraud and Abuse Act - 18 USC 1030• Wiretapping – 18 USC 2511• Stored Communications Act (email) – 18 USC 2701• Destruction of communication devices – 18 USC 1362• Patriot Act – amends many laws• RICO• Foreign Intelligence Surveillance Act (FISA)• Medical Computer Crime Act• State laws

Major laws

Knowledge

Exceeding authority

Infrastructure that is not public / open

Disclosure / retention of data

Major laws

CFAA – up to 20 years

SCA – 5 years in the absence of malice

Wiretapping – 5 years

Major laws

Penalty considerations• Potential and actual loss• Sophistication and planning involved• Purpose of offense• Intent• Impact on privacy rights• National security • Interference with critical infrastructure• Threat to public health

Legal guide

Scope

Permission

Third parties

Access

Legal guide

Scope

• What is the customer trying to protect?

• Systems to be protected

• Limitations on testing

• Types of information processed

Legal guide

Permission

• Methods to be used

• Types of customers serviced

• Categories of information held

• Data to be retained

• Data to be purged

Legal guide

Third parties

• Who are customer’s third party vendors?

• Does customer contract allow testing?

• Will you use third parties?

• Consider law enforcement and prosecutorial priories

Access

• Document data to which you have access

• Limit the number of employees who have access to data

• Create and implement access policies

• Require written notice

Legal issues

Contract

Permission

Scope of access

Indemnification

Termination issues

Contract

Permission and Scope of AccessCustomer grants Company full and unlimited access to the information and systems set out on the Statement of Work (Access). Access is only limited by the express statements set out in the Statement of Work. Company agrees to keep complete and accurate records of its activities related to Access. Company shall be entitled to produce these records should it be alleged that Company has exceeded the Access authorized by Customer.

You must have express permission

IndemnificationCustomer hereby releases and agrees to indemnify and defend Company, and any and all directors, officers, employees, contractors and agents of Indemnitee (collectively, the “Indemnitees”) from and against any and all liabilities, claims, losses, damages, costs, and expenses, including reasonable attorneys’ fees arising out of or in any way relating to the activities set out on the Statement of Work. This indemnification obligation shall extend to claims brought by customers of Customer and any third party claiming injury of any sort from the activities set out in the Statement of Work. In addition, the indemnification obligation shall extent to any charges brought against Company by a law enforcement or regulatory entity of any type based on the activities contemplated in this Agreement.

Contract

Indemnification must be broad and extend to end users / law enforcement

Termination

Contract

Upon termination or expiration of this Agreement, Company shall delete all data and provide Customer with written confirmation of this deletion. Company shall also instruct any entities who have had access to the data to also delete it and provide Customer with written certification of this deletion. The security obligations set out in this Agreement relating to the data shall survive termination or expiration of this Agreement until such time as the data is completely deleted by Company. Company shall require this provision, or one similarly protective of Customer’s rights in all its contracts with suppliers or other vendors who provide aspects of the Services. Company may keep copies of data created pursuant to this Agreement, subject to this paragraph

When agreement terminates, your rights

terminate.

Toolkit

Determine how services will be used

Evaluate customer’s data structure

Understand end user’s data

Determine the type of data you may retain

High risk regulatory areas

Disposition of data on termination

surveymonkey/source12

Thanks for coming!

W: dsnead.comT: @wdsneadpc