Target in Miami

A Few Thoughts on the Consumer Litigation Settlement in the Target Data Breach Case

Target in MiamiMany thanks to CSO Online and Michael Santarcangelo (@catalyst) for his excellent synopsis of our conversation regarding the recent settlement of the Consumer Litigation in the Target data breach lawsuit (note, the more substantive Financial Institutions Litigation has not settled).

Please give the full article a read and also give a shout-out to Michael on his Twitter and let him know what you think so he’ll call me again sometimes! :)  What security leaders need to know about the Target breach settlement

-Shawn

cyber law = business law

Cyber Law is (the new) Practical Business Law

Image courtesy of 89studio at FreeDigitalPhotos.net

Image courtesy of 89studio at FreeDigitalPhotos.net

I have had a thing for simplicity lately. A couple of months ago I was on stage speaking and something really hit me. I was watching the audience and the looks on their faces made me realize that, while what I was saying was technically accurate, to most of the people in the crowd, it sounded like gibberish — like when my mathematics-obsessed son tries to talk to me about Calculus. Or is it Trigonometry?

Who knows? And, I’ll bet that’s exactly what that audience walked out of there thinking. I vowed to do things differently. To simplify. More.

Cyber is the new reality. The business world is now fully immersed in the cyber world. Indeed, every business now has cyber issues unless it operates without a computer, data, or connection to the Internet. Can you think of any? Me either.

CircuitsSince cyber is now a real-world issue that affects everyone, not just the uber-sophisticated techno-types, but real world people too, cyber law has likewise made its way into the mainstream.

The cyber world poses incalculable cyber risks for businesses and that means that cyber law is now practical business law.

That is the point of my recent article Practical Cyber Law: Yes, Even Your Clients May Face Cyber Risk Issues that was published in Volume 3: Winter 2015 Edition of Circuits, a publication of the Computer & Technology Section of the State Bar of Texas (full issue). Please give it a read and let me know your thoughts.

 

Shawn Tuma (@shawnetuma) is a cybersecurity lawyer business leaders trust to help solve problems with cutting-edge issues involving cyber risk and compliance, computer fraud, data breach and privacy, and intellectual property law. He is a partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes across the United States and, through theMackrell International Law Network, around the world.

ipviking

Is China responsible for all the hacking it has been blamed for? Not according to Norse.

An interesting article about Norse’s upgrades to its ipviking system indicate that China may not be quite as bad as we previously thought:

3C: So what have you discovered?

Stiansen: We’re learning that traffic and attacks coming out of China isn’t really China. It’s actually other nations using China’s infrastructure to do the attacks. It’s not just one country, it’s the top 10 cyber countries out there using another countries’ infrastructure.

3C: So is China getting a bad rap?

Stiansen: Correct.

Read more of the article here: Norse discovers stunning Dark Net attack patterns – Third Certainty.

secret-205648_1920

Private Investigators, You Are Not Immune From the Computer Hacking Laws

I have seen far too many cases where private investigators do things like install keyloggers on estranged-spouses computers, install sniffer programs to find their login credentials, and do other nefarious activities to hack their way into computers. Why should it come as a surprise to anyone that a PI has now been busted for hiring a professional hacker to break into the email accounts of individuals he was investigating?

Good! It is about time this starts getting some attention. Maybe one day they’ll realize that all of these computer hacking laws that we’re always talking about actually apply to them too.

Here is a nice write-up of a recent case if you’d like to read more: Private Investigator Pleads Guilty to Hacking Email Accounts

Cybersecurity Contracts

Practical ways your company’s contracts can help improve its cybersecurity odds

I am sharing two articles with you because, as you well know, cybersecurity is a really hot topic right now due to the threat it poses to virtually all businesses. I hope you find these helpful.
 
I was recently interviewed by CSO Magazine and asked to give one suggestion that companies could do to improve their cybersecurity chances. I suggested they focus on their contracts as they relate to cybersecurity issues (HERE).
 
Yesterday, on Norse’s DarkMatters, I explained this issue in greater detail and provided basic examples of cybersecurity issues that every business should address in their contracts (HERE).
 
As you read through these articles, think about the different kinds of data your company has, the many ways the bad guys could get to it, and how additional safeguards could be put into place for those within your company as well as its third-party relationships. These are just a few examples of the areas where addressing cybersecurity issues in your contracts can help improve your company’s overall cybersecurity posture, and the contracts issue is only one of many areas that make up a comprehensive cyber risk protection program that is what all companies really need. 
 
If your company already has a program that includes these kinds of precautions, then congratulations because you are well ahead of most other companies! If you do not, we would love to help you get these protections in place so let me know and let’s schedule a time to get together over breakfast or lunch – my treat!

__________________________________________

Shawn Tuma (@shawnetuma) is a cybersecurity and data protection lawyer that business leaders trust to help solve problems with cutting-edge issues involving cyber risk and compliance, computer fraud, data breach and privacy, and intellectual property law. He is a partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes across the United States and, through the Mackrell International Law Network, around the world.

 

Does the CFAA Apply to Lenovo’s SuperFish Malware Lawsuits?

For me personally, the timeline of events surrounding the discovery of Lenovo’s SuperFish malware is ironic. Just a couple of days before it was discovered, I had a telephone call with a friend named Jon Stanley. Jon is someone I consider to be an elder statesman of the CFAA as he has been digging deep into the law for a long time — much longer than I have — and our call was basically to chat about all things CFAA-related. (to get a glimpse of what it’s like to talk to Jon, check this out)

One of the things we talked about was our favorite CFAA opinions and Jon told me his was Shaw v. Toshiba, 91 F.Supp.2d 926 (E.D. Tx. 1999). I had skimmed the high points a few years back but never really taken the time to go through it slowly and enjoy it like a snifter of brandy, so after we hung up, I pulled it up and began reading.

I immediately turned to the point that Jon and I discussed which is where the court focused on the silliness of folks trying to argue the Computer Fraud and Abuse Act is a “hacking” law – ha, the court knocked it out of the park! “[T]his Court does not see a blanket exemption for manufacturers in Title 18 U.S.C. § 1030; nor does it see the term ‘hacking’ anywhere in this statute.” Id. at 936. I love that statement — I have never seen the term “hacking” in there either and, to hear people continue referring to it that way makes me wonder if they also refer to the mail and wire fraud statute as intending to keep the crooked city slickers from taking advantage of honest country folk. (seriously, see page 1)

How does this apply to the Lenovo SuperFish Malware?

So now you’re probably wondering where I’m going with this, right? And, what it has to do with the Lenovo SuperFish malware?

Ok, did you catch the first part of that quote? The part about a “blanket exemption for manufacturers”?

The issue in Shaw was whether a computer manufacturer’s sale of laptop computers containing devices with defective microcode that erroneously caused the corruption or destruction of data without notice was a violation of the CFAA, because the instructions given by the defective microcode were an unauthorized transmission. Toshiba argued several things but, most applicable here, that “Congress never intended for the CFAA to reach manufacturers; rather, the CFAA is geared toward criminalizing computer ‘hacking.'” In other words, Toshiba argued that, because it was a manufacturer that did all of its “stuff” before the computer was shipped and sold to Shaw, its activities were not prohibited by the CFAA. The Court disagreed with Toshiba’s narrow interpretation:

Perhaps. But it seems more plausible that Congress, grappling with technology that literally changes every day, drafted a statute capable of encompassing a wide range of computer activity designed to damage computer systems–from computer hacking to time bombs to defective microcode.

Brilliant. Ultimately, the Court denied Toshiba’s Motion for Summary Judgment and allowed the case to proceed. 

 The lawsuits against Lenovo have already started to drop and will surely continue coming. While I have not read the individual complaints, I’d say it’s a safe bet there are some CFAA claims in there — and if not, maybe they should give Shaw v. Toshiba a read (and not just for pleasure).

So, here’s a little test for you: if they do bring a CFAA claim, do they have to plead the $5,000 loss? 

Hey Jon, by the way, thank you!



Shawn Tuma (@shawnetuma) is a cybersecurity lawyer business leaders trust to help solve problems with cutting-edge issues involving cyber risk and compliance, computer fraud, data breach and privacy, and intellectual property law. He is a partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes across the United States and, through the Mackrell International Law Network, around the world.

pie

Low Hanging Fruit Can Make a Pretty Good Cybersecurity Pie

“Cybersecurity” just sounds like something that must be really complicated, right?

Sure it does — it sounds exotic and cool — and complicated. And yes, when you get into the weeds of technical things that hackers (actually, crackers) do to monkey around with computers, it can be mind-boggling.

But, must you really understand all of those things to have some basic cybersecurity protection to help improve the odds for your company?

phishingThink about this:

  • How much would your company’s cybersecurity odds improve if nobody in your company ever clicked on a phishing email?
  • If 75% wouldn’t?
  • If 50% more wouldn’t, after being taught how to think about them, than would have before?
  • How hard would it really be to take one day a month and have a lunch-and-learn for your workforce to help teach them how to think about and recognize such attacks, as well as other similar techniques the bad guys use?

piePhishing scams, weak passwords, infected usb devices — those aren’t the exotic things that people think about when they hear the word “cybersecurity.” They are the easy(ier) things — the low hanging fruit in the grand cybersecurity scheme. But don’t forget, even that low-hanging fruit can go a long way toward making a really good cybersecurity pie and save you and your company a whole lot of heartburn!