Lost in Cyberspace? Best Practices for Maintaining Security on the Internet and in the Cloud.

Lost in Cyberspace?Lost in Cyberspace? Best Practices for Maintaining Best Practices for Maintaining

Security on the Internet and in the CloudSecurity on the Internet and in the Cloud

Lost in Cyberspace?Lost in Cyberspace? Preventing, monitoring, Preventing, monitoring,

and responding to and responding to breaches of security breaches of security and cyber attacksand cyber attacks

Reducing liability for Reducing liability for compromises to third compromises to third party dataparty data

Special risks posed by Special risks posed by social media and social media and mobile devicesmobile devices

““Best practices”Best practices”– Physical securityPhysical security– Contractual agreementsContractual agreements– Policies and proceduresPolicies and procedures

““Damage control”Damage control”– InsuranceInsurance– Reporting obligationsReporting obligations– Accounting and Accounting and

valuation consequencesvaluation consequences– Litigation optionsLitigation options

The in-house perspectiveThe in-house perspective

Handles regulatory Handles regulatory and compliance issues and compliance issues

Responsible for public Responsible for public sector/government sector/government contracting issuescontracting issues

Significant experience Significant experience with internal and with internal and government government investigationsinvestigations

Roberto FacundusGlobal Compliance Attorney

salesforce.com, Inc.

The auditor’s perspectiveThe auditor’s perspective

Certified Information Certified Information Systems Auditor Systems Auditor

Extensive experience with Extensive experience with IT security and privacy IT security and privacy assessments, audits, and assessments, audits, and compliancecompliance

Frequent speaker and Frequent speaker and author on risks associated author on risks associated with cloud computingwith cloud computing

Member of Grant Thornton Member of Grant Thornton Cyber Security Cyber Security Committee Committee

Orus Dearman, CISADirector, Advisory Services

Grant Thornton LLP

The litigator’s perspectiveThe litigator’s perspective

Litigated cutting edge Litigated cutting edge issues issues ─ ─ including including computer crimes and trade computer crimes and trade secret matters secret matters ─ ─ for past for past 28 years (22 in Richmond)28 years (22 in Richmond)

Member of Privacy, Member of Privacy, Security & Information Security & Information Management and Trade Management and Trade Secret Noncompete Secret Noncompete Practice GroupsPractice Groups

Chair of Foley D.C. office Chair of Foley D.C. office Litigation DepartmentLitigation Department

Michael J. LockerbyPartner

Foley & Lardner LLP

The in-house perspectiveThe in-house perspective

Detecting cyberattacksDetecting cyberattacks Facilities securityFacilities security Worldwide securities Worldwide securities

certificationscertifications Best practicesBest practices User awareness User awareness

trainingtraining

What is Cloud Computing?What is Cloud Computing?

Traditional On-Traditional On-premisepremise– Servers & DatacentersServers & Datacenters– EngineersEngineers– Energy CostsEnergy Costs– Pay for disruptive Pay for disruptive

upgradesupgrades– Not elasticNot elastic

Cloud On-demandCloud On-demand– Cloud company Cloud company

maintains IT maintains IT infrastructure & infrastructure & costscosts

– Upgrades includedUpgrades included– Pay by subscriptionPay by subscription– Scales with youScales with you

Phishing emailPhishing email

Phishing/Malware EmailPhishing/Malware Email

Malware attackMalware attack

Maximum Facilities SecurityMaximum Facilities Security 24/7/365 on-site security24/7/365 on-site security All doors, including cages, are secured through a All doors, including cages, are secured through a

combination of biometrics and/or proximity card combination of biometrics and/or proximity card readersreaders

Multiple security challenges required to reach Multiple security challenges required to reach Salesforce environment Salesforce environment

Low profile fully anonymous exteriorsLow profile fully anonymous exteriors Digital camera (CCTV) coverage of entire facilityDigital camera (CCTV) coverage of entire facility Perimeter bounded by concrete bollards/plantersPerimeter bounded by concrete bollards/planters A silent alarm and automatic notification of A silent alarm and automatic notification of

appropriate law enforcement officials protect all appropriate law enforcement officials protect all exterior entrancesexterior entrances

CCTV integrated with access control and alarm CCTV integrated with access control and alarm systemsystem

Motion-detection for lighting and CCTV coverageMotion-detection for lighting and CCTV coverage

ISO 27001 SSAE 16 (SOC 1, 2, and 3) GSA “Authority to Operate” PCI JIPDC (Japan Privacy Seal) Tuv (Germany Privacy Mark) SysTrust TRUSTe

Worldwide Security CertificationsWorldwide Security Certifications

Trust & TransparencyTrust & Transparency Success is built on trust. And trust starts with Success is built on trust. And trust starts with

transparency. transparency. Real-time information on system performance and Real-time information on system performance and

securitysecurity Live and historical data on system performanceLive and historical data on system performance Up-to-the minute information on planned Up-to-the minute information on planned

maintenancemaintenance Updates on phishing, malware, and Updates on phishing, malware, and

social engineering threatssocial engineering threats

User Awareness TrainingUser Awareness Training New Hire TrainingNew Hire Training

– All employees and contractorsAll employees and contractors– Summary of security obligationsSummary of security obligations

Annual Training ClassAnnual Training Class– All employees and contractorsAll employees and contractors– Must take a test and passMust take a test and pass

NewslettersNewsletters– Monthly publication to everyoneMonthly publication to everyone– Covers relevant and timely security Covers relevant and timely security

topicstopics

Best PracticesBest Practices Implement IP RestrictionsImplement IP Restrictions Consider Two-Factor AuthenticationConsider Two-Factor Authentication Secure Employee SystemsSecure Employee Systems

– Use malware/spyware utilitiesUse malware/spyware utilities

Strengthen Password PoliciesStrengthen Password Policies Require Secure Sessions (httpRequire Secure Sessions (httpss://)://) Decrease Session Timeout ThresholdsDecrease Session Timeout Thresholds Identify a Primary Security ContactIdentify a Primary Security Contact

The auditor’s perspectiveThe auditor’s perspective

Overview of cloud Overview of cloud computingcomputing– Principal characteristicsPrincipal characteristics– Types and modelsTypes and models– Why management is Why management is

buzzing about this trendbuzzing about this trend Risks of cloud Risks of cloud

computingcomputing Responding to a Responding to a

security breachsecurity breach

Principal characteristicsPrincipal characteristics

• Network enabled

• Abstraction of infrastructure

• Resource democratization

• Services oriented architecture

• Elasticity and dynamism of resources

• Utility model of consumption and allocation

© Grant Thornton. All rights reserved.

Types and modelsTypes and models

Types of Clouds• Public

- Shared computer resources provided by an off-site third-party provider

• Private- Dedicated computer

resources provided by an off-site third party or use of cloud technologies on a private internal network

• Hybrid- Consisting of multiple

public and private clouds

Models of Cloud• Software as a Service (SaaS)

- Software applications delivered over the Internet

• Platform as a Service (PaaS)- Full or partial operating

system/development environment delivered over the Internet

• Infrastructure as a Service (IaaS)- Computer infrastructure delivered

over the Internet• Desktop as a Service (DaaS)

- Virtualization of desktop systems serving thin clients, delivered over the Internet or a private Cloud


Why management is buzzing Why management is buzzing about this trendabout this trend Cloud computing is the future of ITCloud computing is the future of IT

• A A newnew and and flexibleflexible model for deploying model for deploying technologytechnology

• Extremely Extremely reliablereliable and infinitely and infinitely scalablescalable

• Cost Cost benefitsbenefits and and easeease of ownership of ownership

• Allows organizations to Allows organizations to expandexpand or or contractcontract as needs as needs dictatedictate

• PayPay for only what for only what you need you need atat any given timeany given time


Potential risksPotential risks What are the What are the physical components physical components of the of the

“Clouds”?“Clouds”?– Data Centers: self-hosted, third-party, both, etc.?Data Centers: self-hosted, third-party, both, etc.?– Network circuits and firewalls: who’s managing, who’s Network circuits and firewalls: who’s managing, who’s

watching, etc.?watching, etc.?– Disaster preparedness and recoverability: is there a plan, Disaster preparedness and recoverability: is there a plan,

is it tested, etc.?is it tested, etc.?– Who is aware of and managing vendor SLAs and are Who is aware of and managing vendor SLAs and are

they adequate?they adequate?


Potential risks (continued)Potential risks (continued) Where is the Where is the datadata and how is it and how is it protectedprotected??

– In-flight, standing still / at-rest, etc.?In-flight, standing still / at-rest, etc.?– Archives and back-up?Archives and back-up?– Unintended uses?Unintended uses?– Data privacy and compliance?Data privacy and compliance?

What is the What is the tone at the toptone at the top??– Stakeholder knowledge of attributes and risksStakeholder knowledge of attributes and risks– Have internal controls evolved effectively?Have internal controls evolved effectively?– Who is monitoring internal use of public cloud services?Who is monitoring internal use of public cloud services?


Six additional risk areasSix additional risk areas• SecuritySecurity

• Multi-tenancyMulti-tenancy

• Data locationData location

• ReliabilityReliability

• SustainabilitySustainability

• ScalabilityScalability


Security risksSecurity risks• The cloud provider’s The cloud provider’s security policies security policies are not as strong as are not as strong as

the organization’s data security requirementsthe organization’s data security requirements

• Cloud Cloud systemssystems which store organization data are which store organization data are not not updated or patched updated or patched when necessarywhen necessary

• Security vulnerability assessments Security vulnerability assessments or or penetration tests are penetration tests are not performed not performed to to ensure logical and physical security controls ensure logical and physical security controls are in place are in place

• The The physical location physical location of organization data is of organization data is not properly securednot properly secured


Multi-tenancy risksMulti-tenancy risks

• Organization data Organization data is not appropriately is not appropriately segregatedsegregated on shared on shared hardware resulting in organization data being inappropriately hardware resulting in organization data being inappropriately accessed by third partiesaccessed by third parties

• The cloud service provider has not deployed appropriate The cloud service provider has not deployed appropriate levels of levels of encryptionencryption to ensure data is appropriately to ensure data is appropriately segregated both in rest and transitsegregated both in rest and transit

• The cloud service provider The cloud service provider cannot determine cannot determine the the specific location specific location of the organization’s data of the organization’s data on its systems on its systems

• Organization data resides on shared server Organization data resides on shared server space which might space which might conflict with regulatory conflict with regulatory compliance requirements compliance requirements for the organizationfor the organization


Data location risksData location risks• The organization is The organization is not aware not aware of all of the cloud service of all of the cloud service

provider’s provider’s physical location(s)physical location(s)

• The organization The organization does not know does not know where their data is where their data is physically or virtually storedphysically or virtually stored

• The Cloud service provider The Cloud service provider moves organization data moves organization data to to another location another location without informing the organizationwithout informing the organization

• Organization data is Organization data is stored in international locations stored in international locations and and falls under foreign business or national laws/regulationsfalls under foreign business or national laws/regulations


Reliability risksReliability risks• The cloud service provider has The cloud service provider has quality of service quality of service

standardsstandards which conflict with operational requirements which conflict with operational requirements• During peak system activity times, the cloud service provider During peak system activity times, the cloud service provider

experiences experiences system performance issues system performance issues that result in the that result in the following:following:― organization employees organization employees cannot access the organization’s data cannot access the organization’s data

when neededwhen needed― CustomersCustomers are unable to use the organization’s systems (such as are unable to use the organization’s systems (such as

placing an order on the organization’s web site) because of placing an order on the organization’s web site) because of performance problems with the cloud providerperformance problems with the cloud provider


Sustainability risksSustainability risks

• In the event the cloud service provider goes In the event the cloud service provider goes out of business, the organization out of business, the organization might not might not be able to retrieve the organization’s data. be able to retrieve the organization’s data. In addition, another third party In addition, another third party might gain access/control of the organization’s might gain access/control of the organization’s datadata

• The The cloud service provider cloud service provider does does not have not have appropriate appropriate system recovery procedures system recovery procedures in place in the event of a disasterin place in the event of a disaster

• The organization’s The organization’s business continuity plan business continuity plan does not address does not address the cloud’s service offering being unavailablethe cloud’s service offering being unavailable

• Organization Organization data is compromised data is compromised as a as a resultresult of a of a disasterdisaster© Grant Thornton. All rights reserved.

Scalability risksScalability risks• The cloud service provider’s The cloud service provider’s systems systems

cannot scale to meet the organization’s cannot scale to meet the organization’s anticipated growth anticipated growth, both for a short-term , both for a short-term spike and/or to meet a long-term spike and/or to meet a long-term strategystrategy

• If the organization decides to migrate all If the organization decides to migrate all or part of the organization’s or part of the organization’s system system and/or data back in-house and/or data back in-house (or to (or to another provider), the cloud service another provider), the cloud service provider provider cannot (or will not) provide cannot (or will not) provide the data the data


Responding to a breachResponding to a breach 2011 data breach statistics2011 data breach statistics Breaches are costlyBreaches are costly PreventionPrevention Incident responseIncident response Post incident activityPost incident activity


2011 data breach statistics2011 data breach statistics Of 855 security breach incident Of 855 security breach incident

investigations:investigations:– 98% stemmed from external agents98% stemmed from external agents– 81% utilized some form of hacking81% utilized some form of hacking– 69% incorporated malware69% incorporated malware– 85% took a week or more to discover (92% by a third 85% took a week or more to discover (92% by a third

party)party)– 97% were preventable through intermediate controls97% were preventable through intermediate controls

Source: Verizon RISK Team 2012 Data Breach Investigations ReportSource: Verizon RISK Team 2012 Data Breach Investigations Report


Breaches are costlyBreaches are costly 6M per event or $197 per record 6M per event or $197 per record (Ponemon Institute)(Ponemon Institute)

TJXTJX– 47M+ card numbers stolen, $200M+ in costs47M+ card numbers stolen, $200M+ in costs

Hannaford Brothers and SweetbayHannaford Brothers and Sweetbay– 4.2M card numbers stolen, 1,800 cases of fraud4.2M card numbers stolen, 1,800 cases of fraud

ABN AmroABN Amro– 2 million customer records "lost in mail" (DHL)2 million customer records "lost in mail" (DHL)

DuPontDuPont– $400M in trade secrets breached by inside$400M in trade secrets breached by inside


PreventionPrevention Best Practices:Best Practices:

– Establish a data security policy and promote Establish a data security policy and promote organizational awarenessorganizational awareness

– Implement appropriate management, Implement appropriate management, operational, and technical security controlsoperational, and technical security controls

– Collect the minimum amount of personal Collect the minimum amount of personal information necessary to perform a jobinformation necessary to perform a job

– Adhere to local and federal data disposal lawsAdhere to local and federal data disposal laws


Incident responseIncident response Prioritize: Consider the Prioritize: Consider the

functional/information impactfunctional/information impact

and recoverability of the incidentand recoverability of the incident Notify: Notify:

– Determine response requirements based on Determine response requirements based on state law for physical possession, copied, or state law for physical possession, copied, or utilization of personal informationutilization of personal information

– Notify internal and external stakeholders Notify internal and external stakeholders including government agenciesincluding government agencies


Incident response (continued)Incident response (continued) Contain: Criteria for determining appropriate Contain: Criteria for determining appropriate

strategystrategy– Need for evidence preservationNeed for evidence preservation– Service availability Service availability – Time and resource requirementsTime and resource requirements– Duration of the solution (temporary vs. Duration of the solution (temporary vs.

permanent) permanent)

Source: NIST Special Publication 800-61 Revision 2, August 2012Source: NIST Special Publication 800-61 Revision 2, August 2012


Post incident activityPost incident activity Lessons LearnedLessons Learned

– Incident reportingIncident reporting– Adherence to policies and proceduresAdherence to policies and procedures– Corrective and preventable actionsCorrective and preventable actions– Symptoms and precursors for future monitoringSymptoms and precursors for future monitoring– Additional tools or resources needed to detect, Additional tools or resources needed to detect,

analyze, and mitigate future incidentsanalyze, and mitigate future incidents

Source: NIST Special Publication 800-61 Revision 2, August 2012Source: NIST Special Publication 800-61 Revision 2, August 2012


ResourcesResources The ABCs of Cloud Computing: The ABCs of Cloud Computing: A comprehensive cloud computing portal where A comprehensive cloud computing portal where

agencies can get information on procurement, security, best practices, case studies and agencies can get information on procurement, security, best practices, case studies and technical resources.(GSA / technical resources.(GSA / http://www.info.apps.gov) http://www.info.apps.gov)

Successful Case Studies: Successful Case Studies: A report which details 30 illustrative cloud computing case A report which details 30 illustrative cloud computing case studies at the Federal, state and local government levels.(CIO Council / studies at the Federal, state and local government levels.(CIO Council / http://www.info.apps.gov/sites/default/files/StateOfCloudComputingReport-http://www.info.apps.gov/sites/default/files/StateOfCloudComputingReport-FINALv3_508.pdf) FINALv3_508.pdf)

Cloud Computing Definition: Cloud Computing Definition: Includes essential characteristics as well as service and Includes essential characteristics as well as service and deployment models.(NIST / deployment models.(NIST / http://csrc.nist.gov/publications/drafts/800-145/Draft-SP-800-http://csrc.nist.gov/publications/drafts/800-145/Draft-SP-800-145_cloud-definition.pdf ) 145_cloud-definition.pdf )

Centralized Cloud Computing Assessment and Authorization: Centralized Cloud Computing Assessment and Authorization: The Federal Risk and The Federal Risk and Authorization Management Program (FedRAMP) has been established to provide a Authorization Management Program (FedRAMP) has been established to provide a standard, centralized approach to assessing and authorizing cloud computing services and standard, centralized approach to assessing and authorizing cloud computing services and products. FedRAMP will permit joint authorizations and continuous security monitoring products. FedRAMP will permit joint authorizations and continuous security monitoring services for government and commercial cloud computing systems intended for multi-services for government and commercial cloud computing systems intended for multi-agency use. It will enable the government to buy a cloud solution once, but use it many agency use. It will enable the government to buy a cloud solution once, but use it many times.(CIO Council / times.(CIO Council / http://www.fedramp.gov) http://www.fedramp.gov)


Resources (continued)Resources (continued)

Guidelines on Security and Privacy in Public Cloud Computing: Guidelines on Security and Privacy in Public Cloud Computing: This draft This draft publication provides an overview of the security and privacy challenges pertinent publication provides an overview of the security and privacy challenges pertinent to public cloud computing and points out considerations organizations should to public cloud computing and points out considerations organizations should take when outsourcing data, applications, and infrastructure to a public cloud take when outsourcing data, applications, and infrastructure to a public cloud environment (NIST / environment (NIST / http://csrc.nist.gov/publications/drafts/800-144/Draft-SP-800-144_cloud-computinhttp://csrc.nist.gov/publications/drafts/800-144/Draft-SP-800-144_cloud-computing.pdfg.pdf))

Cloud Security Alliance: Cloud Security Alliance: To promote the use of best practices for providing To promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing. (of Cloud Computing to help secure all other forms of computing. (https://https://cloudsecurityalliance.orgcloudsecurityalliance.org//))

CloudAudit - CloudAudit - To provide a common interface and namespace that allows cloud To provide a common interface and namespace that allows cloud computing providers to automate the Audit, Assertion, Assessment, and computing providers to automate the Audit, Assertion, Assessment, and Assurance (A6) of their infrastructure (IaaS), platform (PaaS), and application Assurance (A6) of their infrastructure (IaaS), platform (PaaS), and application (SaaS) environments. (http://cloudaudit.org/)(SaaS) environments. (http://cloudaudit.org/)


http://csrc.nist.gov/publications/drafts/800-144/Draft-SP-800-144_cloud-computing.pdf

http://csrc.nist.gov/publications/drafts/800-144/Draft-SP-800-144_cloud-computing.pdf

https://cloudsecurityalliance.org/



The litigator’s perspectiveThe litigator’s perspective

Litigation: the Litigation: the nuclear optionnuclear option

Lessons learned Lessons learned in litigationin litigation

When litigation is When litigation is unavoidableunavoidable

Litigation: the nuclear optionLitigation: the nuclear option

Unavoidable under Unavoidable under certain circumstances certain circumstances

Preliminary injunction Preliminary injunction may be only way to may be only way to protect trade secretsprotect trade secrets

If trade secrets are If trade secrets are particularly sensitive, particularly sensitive, litigation may be “bet litigation may be “bet the company” casethe company” case

Lessons learned in litigationLessons learned in litigation

Physical and electronic Physical and electronic securitysecurity

Contract provisionsContract provisions MarkingMarking Exit interviewsExit interviews Computer forensicsComputer forensics Use of the InternetUse of the Internet

When litigation is When litigation is unavoidable:unavoidable:– Obtaining preliminary Obtaining preliminary

injunctive reliefinjunctive relief– Effective use of federal Effective use of federal

and state computer and state computer crimes lawscrimes laws

Physical and electronic securityPhysical and electronic security

Locked or limited Locked or limited accessaccess– PhysicallyPhysically– ElectronicallyElectronically

Restrict to those with Restrict to those with “need to know”“need to know”

Forensic examinationForensic examination

Contract provisionsContract provisions

Employees and Employees and contractorscontractors

Prospective merger or Prospective merger or joint venture partnersjoint venture partners

SuppliersSuppliers Dealers, distributors Dealers, distributors

and franchiseesand franchisees

Covenant not to use, Covenant not to use, disclose, or copydisclose, or copy

Right of audit and Right of audit and inspectioninspection

Consent to preliminary Consent to preliminary injunctive relief in courtinjunctive relief in court

Choice of forumChoice of forum

““Marking” trade secretsMarking” trade secrets

Clearly identify Clearly identify confidential informationconfidential information

Avoid over-designationAvoid over-designation Restrict copying (Restrict copying (e.ge.g., .,

numbered paper copies, numbered paper copies, use of “security paper,” use of “security paper,” “read only” electronic “read only” electronic copies)copies)

Maintaining confidentialityMaintaining confidentiality

Exit interviews with Exit interviews with departing employees departing employees andand dealers, dealers, distributors, or distributors, or franchiseesfranchisees– Review policies and Review policies and

proceduresprocedures– Obtain written Obtain written

certification of certification of compliancecompliance

Trust, but verifyTrust, but verify Use computer Use computer

forensic experts to forensic experts to monitor activity:monitor activity:– During employment During employment

andand upon departureupon departure– During contract term During contract term

andand afterafter termination termination or nonrenewalor nonrenewal

Computer forensic expertsComputer forensic experts

Determine whether Determine whether sensitive files were sensitive files were accessed, emailed, accessed, emailed, downloaded, printeddownloaded, printed

Review email historyReview email history Recover “deleted” filesRecover “deleted” files ““Clone” computer hard Clone” computer hard

drives of departing drives of departing employeesemployees

Ensure that employees Ensure that employees have no “reasonable have no “reasonable expectation of privacy”expectation of privacy”– Written policies and Written policies and

proceduresprocedures– Periodic remindersPeriodic reminders– Informed consent to Informed consent to

monitoringmonitoring

Trade secrets on the Internet?Trade secrets on the Internet?

Early view:Early view:– ““Once a trade secret is Once a trade secret is

posted on the Internet, posted on the Internet, it is effectively part of it is effectively part of the public domain, the public domain, impossible to retrieve.”impossible to retrieve.” RTC v. LermaRTC v. Lerma, 908 F. Supp. , 908 F. Supp.

1362, 1368 (E.D. Va. 1995) 1362, 1368 (E.D. Va. 1995) RTC v. Netcom, RTC v. Netcom, 923 F. 923 F.

Supp. 1231 (N.D. Cal. Supp. 1231 (N.D. Cal. 1995)1995)

Later view:Later view: – Not lost if publication Not lost if publication

“sufficiently obscure or “sufficiently obscure or transient or otherwise transient or otherwise limited so that it does limited so that it does not become generally not become generally known to … potential known to … potential competitors”competitors” DVD Copy Control Ass’n v. DVD Copy Control Ass’n v.

Bunner, Bunner, 10 Cal. Rptr. 3d 10 Cal. Rptr. 3d 185 (Ct. App. 2004)185 (Ct. App. 2004)

Trade secrets on the Internet?Trade secrets on the Internet?

Key circumstances:Key circumstances:– How long was it How long was it

posted?posted?– How promptly did the How promptly did the

owner act?owner act?– Who saw it?Who saw it?– How accessible and How accessible and

popular are the site?popular are the site?– Where does it show up Where does it show up

in response to search in response to search engine queries?engine queries?

– How much was How much was disclosed?disclosed?

Preliminary injunctive reliefPreliminary injunctive relief Warranted in cases of Warranted in cases of

actual or threatened actual or threatened use of trade secrets use of trade secrets

If trade secrets not yet If trade secrets not yet disclosed or used, may disclosed or used, may be be only only remedyremedy

Prohibitory injunctionProhibitory injunction Mandatory injunction: Mandatory injunction:

return of embodiments,return of embodiments,

assignment of patentsassignment of patents

Preliminary injunctive reliefPreliminary injunctive relief

Primary purpose to Primary purpose to preserve “status quo”preserve “status quo” – ““last, actual peaceable last, actual peaceable

uncontested status ”uncontested status ”

Is “status quo” that trade Is “status quo” that trade secrets already on the secrets already on the Internet or otherwise Internet or otherwise gone?gone?

Computer crimes laws Computer crimes laws require no showing of require no showing of trade secret protectiontrade secret protection

Effect of contractual Effect of contractual arbitration provisionarbitration provision– What if no “carve-out” for What if no “carve-out” for

preliminary injunctive relief?preliminary injunctive relief?– Authority that federal courts Authority that federal courts

can preserve status quo can preserve status quo pending arbitrationpending arbitration

– Still good law now that most Still good law now that most ADR rules authorize ADR rules authorize preliminary injunctive relief?preliminary injunctive relief?

Ex parteEx parte seizure seizure Federal IP lawFederal IP law

– Lanham Act permits Lanham Act permits ex parteex parte seizure of seizure of counterfeit goods counterfeit goods 15 U.S.C. § 1116(d)15 U.S.C. § 1116(d)

– Copyright Act permits Copyright Act permits temporary injunctive temporary injunctive relief, impoundment relief, impoundment (17 U.S.C. §§ 502, 503)(17 U.S.C. §§ 502, 503)

Trade secret lawTrade secret law– No federal private right No federal private right

of actionof action– Fed. R. Civ. P. 64 Fed. R. Civ. P. 64

preserves state law preserves state law seizure remedies (state seizure remedies (state replevin statutes)replevin statutes)

– UTSA, Restatement UTSA, Restatement expressly authorize expressly authorize mandatory injunctionsmandatory injunctions

Practice pointersPractice pointers Seek expedited trial Seek expedited trial

and preliminary and preliminary injunction preserving injunction preserving status quostatus quo– Federal Rule 26(d): Federal Rule 26(d):

expedited discoveryexpedited discovery– Federal Rule 65(a)(2): Federal Rule 65(a)(2):

consolidated consolidated preliminary injunction preliminary injunction hearing, trial on meritshearing, trial on merits

Submit proposed order Submit proposed order with findings and with findings and conclusionsconclusions– ““set forth the reasons set forth the reasons

for its issuance”for its issuance”– ““be specific in terms”be specific in terms”– ““describe in reasonable describe in reasonable

detail … the act or acts detail … the act or acts to be restrained”to be restrained” Federal Rule 65(d)Federal Rule 65(d)

Practice pointersPractice pointers Make injunction Make injunction

binding by service on binding by service on “other persons…in “other persons…in active concert or active concert or participation with” the participation with” the parties and their parties and their “officers, agents, “officers, agents, servants, employees, servants, employees, and attorneys”and attorneys”– Federal Rule 65(d)(2)Federal Rule 65(d)(2)

Practice pointersPractice pointers Courts have Courts have

considerable discretion considerable discretion whether to award whether to award injunctive relief and injunctive relief and how to fashion ithow to fashion it

May win or lose on May win or lose on “intangible” factors: “intangible” factors: credibility and credibility and reasonableness of reasonableness of witnesses, parties, witnesses, parties, counselcounsel

Federal computer crimes lawsFederal computer crimes laws

Electronic Electronic Communications Communications Privacy Act (ECPA)Privacy Act (ECPA)– Wiretap Act prohibits Wiretap Act prohibits

interception of interception of communications communications

– Stored Communications Stored Communications Act prohibits Act prohibits dissemination or review dissemination or review

Computer Fraud & Computer Fraud & Abuse Act (CFAA)Abuse Act (CFAA)

Computer Fraud & Abuse ActComputer Fraud & Abuse Act

Prohibits intentional Prohibits intentional access to computer access to computer without authorization, without authorization, or beyond the scope of or beyond the scope of any authorityany authority

Applied to employee who erased data on company laptop before resigning – Int’l Airport Ctrs., LLC v. Citrin,

440 F.3d 418 (7th Cir. 2006)

De-CFAA-nated?De-CFAA-nated?

U.S. v. Nosal, 676 F.3d 854 (9th Cir. April 2012)– CFAA provides no remedy

against disloyal employees who retrieved confidential information via company user accounts and transferred it to competitor

– Because defendants were authorized to access the computer, access for an unauthorized purpose was not “without authorization” and did not “exceed[] authorized access”

WEC Carolina Energy Solutions LLC v. Miller, 2012 U.S. App. LEXIS 15441 (4th Cir. July 26, 2012)– CFAA provides no remedy

against former employee who, before resigning, downloaded employer’s proprietary information at behest of competitor

– WEC policies prohibited using information without authorization or downloading to PC but did not restrict Miller’s authorization to access the information

Fourth Circuit’s rationaleFourth Circuit’s rationale

CFAA allows for criminal prosecution– But the Copyright Act also

criminalizes copying by unlicensed users and licensees exceeding scope of their authorization

Other “means to reign in rogue employees,” e.g., trade secret law– But trade secret protection

may have been destroyed

Damages for CFAA violationsDamages for CFAA violations

Must be > $5,000Must be > $5,000– ““any reasonable cost to any any reasonable cost to any

victim”victim”

Can include cost of Can include cost of computer forensic expertcomputer forensic expert– ““cost of responding to an cost of responding to an

offense, conducting a offense, conducting a damage assessment, and damage assessment, and restoring the data, program, restoring the data, program, system, or information to its system, or information to its condition prior to the condition prior to the offense”offense”

Some courts require Some courts require “interruption of service”“interruption of service”

Statutory provision:Statutory provision:– ““any revenue lost, cost any revenue lost, cost

incurred, or other incurred, or other consequential damages consequential damages incurred because of incurred because of interruption of service”interruption of service”

State computer crimes lawsState computer crimes laws

Prohibit “use” of Prohibit “use” of computers “without computers “without authority”authority”

Typical remedies:Typical remedies:– Sealing the recordSealing the record– Injunctive reliefInjunctive relief– Costs and attorneys’ feesCosts and attorneys’ fees

Can combine with Can combine with common law claim for common law claim for “trespass to chattels”“trespass to chattels”

Hacker reconstructed Hacker reconstructed and sold competitor’s and sold competitor’s customer listcustomer list

Record sealed under Record sealed under Virginia computer Virginia computer crimes statutecrimes statute

Ex parte Ex parte TRO and TRO and preliminary injunctionpreliminary injunction– UPS, Inc. v. MatuszekUPS, Inc. v. Matuszek, ,

Case No. 1:97-cv-Case No. 1:97-cv-0074400744 (E.D. Va. 1997)(E.D. Va. 1997)

State computer crimes lawsState computer crimes laws

Former dealer accessed Former dealer accessed “dealers only” site, “dealers only” site, ordered to pay attorneys’ ordered to pay attorneys’ fees + cost of having fees + cost of having forensic expert image forensic expert image and analyze computersand analyze computers – NACCO Materials Handling Group, NACCO Materials Handling Group,

Inc. v. The Lilly Co.Inc. v. The Lilly Co., --- F.R.D. ----, , --- F.R.D. ----, 2011 U.S. Dist. LEXIS 143054, 2011 U.S. Dist. LEXIS 143054, 2011 WL 5986649 (W.D.Tenn. Nov. 2011 WL 5986649 (W.D.Tenn. Nov. 16, 2011)16, 2011)

Licensee hired Licensee hired consultant to “work consultant to “work around” and avoid around” and avoid paying for undisclosed paying for undisclosed “authorization key” to “authorization key” to relocate softwarerelocate software

Failure to disclose Failure to disclose actionable under CFAA actionable under CFAA and Connecticut statuteand Connecticut statute– Roller Bearing Co. of America, Inc. Roller Bearing Co. of America, Inc.

v. American Software, Inc.v. American Software, Inc., Case , Case No. 3:07-cv-01516 (D. Conn.)No. 3:07-cv-01516 (D. Conn.)

Questions and answersQuestions and answers

Contact informationContact information

Roberto Facundus

Global Compliance Attorney

salesforce.com®

[Address]

Cell: 415.963.2864

[email protected]

mailto:[email protected]


Orus Dearman, CISA

Director, Advisory Services

Grant Thornton LLP

2070 Chain Bridge Rd

Vienna, Virginia 22182-2596

Direct: 703.637.4133

Cell: 202.491.6382

[email protected]

mailto:[email protected]


Michael J. Lockerby

Foley & Lardner LLP

Washington Harbour

3000 K Street, N.W.

Washington, D.C. 20007

Direct: 202.945.6079

Cell: 804.399.6089

[email protected]

Lost in Cyberspace? Best Practices for Maintaining Security on the Internet and in the Cloud.

Documents

security live

onsite security

breaches of security

cloud slide

security realtime information

maximum facilities security

phishing email slide

malware attack slide