Cybersecurity Legal Year in Review – #DtSR Podcast

Do not miss this podcast discussing key cybersecurity legal events from 2015. Shawn Tuma joined the DtSR Gang [Rafal Los (@Wh1t3Rabbit), James Jardine (@JardineSoftware), and Michael Santarcangelo (@Catalyst)] on the Down the Security Rabbit Hole podcast.

In this episode…

  • Most important cybersecurity-related legal developments of 2015
    • Tectonic Shift that occurred with “standing” in consumer data breach claims
      • Discussion of law prior to Neiman Marcus case, and post-Neiman Marcus
      • Does this now apply to all consumer data breach cases?
      • Immediate impact? Companies now liable?
      • Lesson is in seeing the trend and how incrementalism works
      • Michaels & SuperValu case dismissals in light of Neiman Marcus
  • Regulatory Trends
    • FTC & SEC gave hints in 2014, post-emergence of Target details
    • Wyndham challenged authority – came to fruition in August 2015
    • SEC not far behind – significant case in September 2015
    • Aggressiveness of FTC is substantial – FTC v. LabMD … all over LimeWire
  • Officer & Director Liability
    • 2014 – SEC Comm. fired the warning shot … pointed the finger
    • Shareholder derivative litigation
    • Individual liability of IT / Compliance / Privacy “officers”
  • Anticipated 2016 Legal Trends
    • Regulatory enforcement … which, by the way, is why NIST is becoming default
    • Shareholder Derivative – much more likely than consumer class actions at this time
    • Lessons from both of these: when you need to persuade the “money folks” that they need to act, mention D&O Liability (especially Caremark) and Regulatory focus on individuals … now they’re in the cross-hairs
    • Realization that cybersecurity is more of a legal issue than anything else (IT or business) b/c it is the legal requirements and consequences that ultimately drive everything

Go HERE to listen to the Podcast!

Court Order Provides CFAA Authorization to Access Computer, Even if Later Overturned

A party who accesses a computer pursuant to a court order authorizing him to seize and access the computer will not be found in violation of the Computer Fraud and Abuse Act if such order is later overturned.

“An essential element of a CFAA claim under 10 U.S.C. § 1030 is that the [defendant] accesses a computer ‘without authorization or exceeds authorized access.’ Hunn v. Dan Wilson Homes, Inc., 789 F.3d 573, 583-84 (5th Cir. 2015) (holding that ‘because [the defendant] did not exceed authorized access, he did not violate the Computer Fraud and Abuse Act’). Here, the state-court turnover orders authorized Shor to access the computers. Even though those orders were ultimately overturned, because Shor had authorization at the time pursuant to a court order to access the computers, Black does not state a claim under the CFAA. See id. (discussing CFAA claim, reasoning that the defendant accessed the computer while still employed at the plaintiff’s company). Land and Bay Gauging, L.L.C. v. Shor, 2015 WL 4978993 (5th Cir. Aug. 21, 2015).

See earlier post.

Michaels Data Breach Class Action Dismissed for Lack of Harm

Because the data breach class action plaintiffs were unable to show they sustained any actual harm, the New York U.S. District Court granted Michaels Motion to Dismiss their case, without prejudice, on December 28, 2015.

In its Memorandum Opinion, the Court distinguished the Target and Neiman Marcus cases because, unlike those cases, there were no fraudulent charges on the plaintiff’s credit card: “she asserts only that her credit card was ‘physically presented for payment in Ecuador.’ There are no allegations that Whalen was required to pay the charges in Ecuador.” (Mem. Op. p. 8). In the Neiman Marcus case, “one critical distinction in that case is that 9,200 of those customers experienced fraudulent charges following the breach. By contract, Whalen’s Complaint only indicates that she was affected, and even she did not suffer any out-of-pocket losses.” (Mem. Op. p. 15).

The court’s rationale for its dismissal was, “[s]imply put, Whalen has not asserted any injuries that are ‘certainly impending’ or based on a ‘substantial risk that the harm will occur.’”

SuperValu Data Breach Class Action Dismissed for Lack of Harm

Because the data breach class action plaintiffs were unable to show they sustained any actual harm, the Minnesota U.S. District Court granted SuperValu’s Motion to Dismiss their case, without prejudice, on January 7, 2016.

In its Memorandum Opinion, the Court distinguished the Target and Neiman Marcus cases because “[t]hose cases included factual allegations of substantial data misuse which plausibly suggested that the hackers had succeeded in stealing the data and were willing and able to use it for future theft or fraud.” (Mem. Op. 11-12). In the Target case, many of the 114 named plaintiffs actually incurred fraud, and in the Neiman Marcus case, “more than 9,200 customers experienced fraudulent charges on their payment cards within six months after a data breach that occurred at Neiman Marcus.” (Mem. Op. 12).

In this case, there was only one.

The court’s rationale for its dismissal was, “only one unauthorized credit card charge (of an unspecified date and amount) is alleged to have occurred in the fifteen-month time period following the Data Breach that affected over 1,000 of Defendant’s stores. This singular incident from one named Plaintiff over the course of more than a year following the Data Breach is not sufficient to ‘nudge[]’ Plaintiff’s class claims of data misuse or imminent misuse ‘across the line from conceivable to plausible.'”

media-998990_1280

Social Media Malware: What Is It and How do You Avoid It?

Guest Post by Cassie Phillips

You can’t have spent more than a week on the internet without hearing about malware and its adverse effects on your computer or even your smartphone (smartphone malware is on the rise as well). Perhaps you’ve even had to spend half a day cleaning it off your computer yourself. It is a menace, and it is dangerous considering the data it could potentially steal from your computer.

Malware has been around as long as the internet, but now that we have social media surrounding us wherever we go, some enterprising cybercriminals took it upon themselves to develop malware that directly targets social media and those related accounts. This leads to stolen data from social media accounts, much of which is personal in nature and can be used against you if not used to steal your identity. It also leads to takeover of your social media accounts, which is usually embarrassing and hard to recover from.

media-998990_1280

Here’s what you need to know about the threat:

What Makes It So Special?

Technically, not very much. Malware is often do diverse that it is hard to categorize it other than the effects is causes or its main targets. Social media malware isn’t magic or a special program only developed by the best hackers in the world, it is just a piece of software that intends to make your life miserable through your social media pages. Sometimes the term is used to describe malware spread through social media and at other times it is used to primarily categorize the target. Either way, the malware itself is not too different from the malware that attacked accounts or through websites before it.

Yet this does make it a very special kind of threat. If a piece of malware attacks your browser you can often simply delete it from your computer before it spies on too much or causes too much damage to your computer. Social media malware is different. It takes on a public edge. Whether it is malware you click on thinking it is a friend’s link or something you find somewhere else online that later posts on your wall it is a much more personal assault. Malware spam is usually not very polite about what it shares with family and friends, and can often disturb them.

Increasing Prevalence

The first thing you need to know is that it is becoming more common. More sophisticated cybercrime usually goes for breadth instead of depth when it comes to average consumer targets. Malware does take time for development, and the first wave had to tailor their product for social media. Now that all of the framework for malware has been developed, cybercriminals can now also spend more time tweaking instead of starting anew. This means more frequent attacks of different kinds.

Hackers probably could simply try to get into people’s accounts one at a time, but that isn’t cost effective and the automation and plague-like nature that malware has in its very nature means that a single cybercriminal can target a theoretically unlimited amount of victims. They can not only make a living and cause someone a bad day, but get rich and cause chaos doing so.

All of this coincides with increased rewards for those who successfully take over someone‘s social media account. With the monetization of social media people are linking credit card or even bank information to their accounts. This means that identity theft is easy for someone with the access to your account that social media malware can provide. Combining that with increased connectivity between people allowing for a quicker spread of the malware means that your Facebook account has a glowing red target on it.

Defenses and Preventative Measures

When trying to prevent social media malware from getting into your life you are by no means alone or hopeless. You should consider following the tips below to make yourself safer:

  • Use a Virtual Private Network (VPN) whenever you are going to use social media in public (this includes checking Twitter on your smartphone). Hackers love to intercept data over public networks and use it against you, and this can include getting to your accounts and computer and installing malware. This can lead to either the direct takeover of your accounts or easier targeting of them.

    A VPN is a service that connects your computer to an offsite server using an encrypted connection, keeping hackers out and your data in. It also hides your location from anyone tracking you. You will want to make sure that you are getting the very best available, so read up on ones that will work best with your devices while using social media.

  • Make sure that you are updating your online security suite (and if you don’t have one, please get one now) frequently. Malware comes out quickly, and you need to be up to date in your defense as much of the time as possible.
  • No offense is meant, bur some of your social media friends have no idea what they are doing. Do not accept their app invitations or engage in their chain posts. Many of them are traps. If they have a copy and paste message with a link, don’t pay any attention to it.
  • Try to maintain at least some degree of privacy on social media. The opinions of strangers rarely matter, and you certainly have better things to do with your time. What cannot be seen cannot be so easily targeted, and if you partition off the pointless parts of social media those parts can’t get to you so quickly.

facebook-959060_1280

Social media malware isn’t going anywhere, and you need to be able to defend yourself. Fortunately, with the above knowledge and the right tools to aid you, you will not have any problems with this common menace.

Do you have any other ideas on what to do about social media malware? Have you encountered any problems yourself? Any stories to share? We would love to hear about them. Please leave a comment below and let us know what you think.

_____________________

Cassie Phillips is a frequent author and blogger. You can find more of her work at SecureThoughts.

A special thanks to Shawn Tuma for sharing this article. His website is one of those websites that simply impressed me when I first stumbled across it. The content gives loads of new information that inform my technology decisions. Readers will want to check out this recent video blog on cybersecurity and data breaches.

 

christmas-market-550323_1920

Dear Santa: Shawn Tuma’s Cybersecurity Christmas Wish

 

Rockefeller_Center_christmas_tree

Shawn Tuma’s Cybersecurity Christmas Wish

My friends at SecureWorld asked me to do something I have not done since I was a kid. They asked me to write a letter to Santa and tell him what my one cybersecurity Christmas wish would be.

What is my wish?

Here is a hint: it is for business leaders to begin to understand one particularly crucial thing about cybersecurity incidents — one thing that could really help get their companies prepared for the cybersecurity risks they face.

If you want to know what that one thing is, all you have to do is read my letter to Santa: Cybersecurity Wishes: Shawn E. Tuma

______________________

Shawn Tuma (@shawnetuma) is a business lawyer with an internationally recognized reputation in cybersecurity, computer fraud and data privacy law. He is a Cybersecurity & Data Protection Partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

 

Why Lawyers Need to Understand Cyber Insurance for Their Clients (Tuma’s Tx Bar Journal article)

Texas Bar JournalCybersecurity, data breach, cyber attacks, and cyber insurance. Unless you live under a rock, you have heard of it. You better hope your lawyer has too!

Shawn Tuma argues that the minimum standard of care for lawyers practicing in 2015-16 requires a basic understanding of cyber insurance. He recently explained that argument, along with his co-author Katti Smith, a seasoned cyber insurance professional with AIG.

The Texas Bar Journal published their article, Risky Business: Why lawyers need to understand cyber insurance for their clients, in the December 2015 issue. In the article, they explain what cyber insurance is, what kinds of policies cover cyber liability, key first-party and third-party costs that should be covered by such a policy, as well as key items that are often not covered.

Go check it out and let them know what you think.

______________________

Shawn Tuma (@shawnetuma) is a business lawyer with an internationally recognized reputation in cybersecurity, computer fraud and data privacy law. He is a Cybersecurity & Data Protection Partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.