Target in Miami

A Few Thoughts on the Consumer Litigation Settlement in the Target Data Breach Case

Target in MiamiMany thanks to CSO Online and Michael Santarcangelo (@catalyst) for his excellent synopsis of our conversation regarding the recent settlement of the Consumer Litigation in the Target data breach lawsuit (note, the more substantive Financial Institutions Litigation has not settled).

Please give the full article a read and also give a shout-out to Michael on his Twitter and let him know what you think so he’ll call me again sometimes! :)  What security leaders need to know about the Target breach settlement

-Shawn

shutterstock_59508448

Executives & Board: The conversation security leaders need to have about Amy Pascal’s departure

This is an excellent article that covers a very important topic you need to consider. You — as in Executives and Board Members of Companies all around the world.

Stop, close your eyes, and ask yourself these three questions that are in this article:

  1. “What did you think of the announcement?” (i.e., put yourself in her position and envision that day)
  2. “Is there anything in your emails and files that, if exposed, would get you fired?” (this is self explanatory, but see this related post for advice on this issue: #SonyHack: Will Executives’ Embarrassing Emails Better Motivate Cybersecurity Change?)
  3. “In the event we experience a breach, what are our priorities?” (again, self explanatory, but see this related post for advice on planning: Breach Response Planning)

Now check out the full article: The conversation security leaders need to have about Amy Pascal’s departure | CSO Online.

Happy Data Privacy Day!

Data Privacy DayWhat are you doing to observe it?

Today is Data Privacy Day! If you have been wondering “what is Data Privacy Day?” then this is your lucky day because not only is today Data Privacy Day, but here is the answer and an explanation for why it really matters to you and your company’s future success.

What is Data Privacy Day?

Data Privacy Day is observed every year on January 28 and is led by the National Cyber Security Alliance (NCSA), a nonprofit, public-private partnership dedicated cybersecurity education and awareness. According to the NCSA,

Data Privacy Day is an international effort to empower and educate people to protect their privacy and control their digital footprint.

Data Privacy Day began in the United States and Canada in January 2008 as an extension of the Data Protection Day celebration in Europe. Data Protection Day commemorates the January 28, 1981, signing of Convention 108, the first legally binding international treaty dealing with privacy and data protection. Data Privacy Day is now a celebration for everyone, observed annually on January 28.

Data flows freely in today’s online world. Everyone – from home computer users to multinational corporations – needs to be aware of the personal data others have entrusted to them and remain vigilant and proactive about protecting it. Being a good online citizen means practicing conscientious data stewardship. Data Privacy Day is an effort to empower and educate people to protect their privacy, control their digital footprint, and make the protection of privacy and data a great priority in their lives.

14 Tips For Keeping Your Company’s Data Secure

In honor of Data Privacy Day, the International Association of Privacy Professionals (iapp) has posted an article with 14 tips you need to consider when evaluating how to keep your company’s data secure:

  1. Know Thy Data. Determine what data you collect and share. Classify it according to its level of criticality and sensitivity. What could be considered PII? Define whether data is “in use,” “in motion” or “at rest.” Know where the data is physically stored.
  2. Terms and Conditions May Apply. Make sure your privacy policy reflects current data practices (see Tip #1). This includes the use of third-party advertisers, analytics, and service providers. Periodically review and confirm these third parties comply with your written policies.
  3. You Don’t Know What You’ve Got Till It’s Gone. Conduct annual audits to review whether your data should be retained, aggregated or discarded. Data that’s no longer used needs to be securely decommissioned. Create a data retention policy dictating how long you keep information once it’s fulfilled its original purpose. And, of course, continually ask whether that purpose is still valid and relevant.
  4. Practice or You’ll Breach. Forged e-mail, malvertising, phishing, social engineering exploits and data snooping via unencrypted transmissions are on the rise. From simple controls to sophisticated gears, make sure you’ve implemented leading security “best practices.”
  5. AYO Technology! Data Loss Prevention (DLP) technologies identify vulnerabilities of potential exposures. These work in conjunction with existing security and antivirus tools. From early warnings of irregular data flows to unauthorized employee access, DLP solutions help minimize and remediate threats.
  6. BYOD Is Like a BYOB House Party. The lack of a coherent bring-your-own-device (BYOD) program can put an organization at risk. User devices can easily pass malware and viruses onto company platforms. Develop a formal mobile device management program that includes an inventory of all personal devices used in the workplace, an installation of remote wiping tools and procedures for employee loss notification.
  7. Insist on a List. To mitigate the grave impact on your organization, inventory key systems, access credentials and contacts. This includes bank accounts, registrars, cloud service providers, server hosting providers and payroll providers. Keep this list in a secure yet accessible location.
  8. Forensics – Don’t Do This at Home. The forensics investigation is essential in determining the source and magnitude of a breach. This is best left to the experts as it’s easy to accidentally modify or disrupt the chain of custody.
  9. Where the Logs At? Logs are fundamental components in forensics analysis, helping investigators understand what data was compromised. Types of logs include transaction, server access, firewall and client operating system. Examine all logs in advance to ensure correct configuration and time-zone synchronization. Routinely back them up; keep copies, and make sure they’re protected.
  10. Incident Response Team to the Rescue! Breaches are interdisciplinary events requiring coordinated strategies and responses. The team should represent every functional group within the organization, with an appointed executive who has defined responsibilities and authority. Establish “first responders” available 24/7 (hackers don’t work a 9 to 5 schedule).
  11. Get Friendly With the “Fuzz.” Reach out to law enforcement and regulators prior to an incident. Know who to contact so you won’t have to introduce yourself in the “heat of the battle.” When you have bad news to report, make sure they hear directly from you (a courtesy call goes a long way). Don’t inflame the situation by becoming defensive; focus on what you’re doing to help affected parties.
  12. Rules, Rules, Rules. Become intimately familiar with the international, domestic and local regulations that specifically relate to your organization. The failure to notify the appropriate governmental body can result in further inquiries and fines.
  13. What Did You Say? A well-executed communications plan not only minimizes harm and potential legal consequences, it also mitigates harm to a company’s reputation. Address critical audiences and review applicable laws before notifying. Tailor your message by geographic region and demographics. Knowing what to say is just as important as knowing what NOT to say.
  14. Help Me Help You. Customers want organizations to take responsibility and protect them from the potential consequences of a breach. The DIP should include easy-to-access remedies that offset the harm to affected parties.

Here is a link to the full post: How to Lose Your Data in 10 Days

The 14 tips are a great place to start when thinking about securing your company’s data. As shown by the recent data breaches that have hit Target, Neiman Marcus, Michaels, and Barnes & Noble, the question is no longer one of if your company will have a data breach, but when.

When Your Company is Breached, Your Preparation Will Be Vital to the Company Surviving the Crisis

A data breach is a crisis situation for any company–especially given the amount of attention data breaches are getting these days. From a very big picture perspective, there are two goals to strive for when a company responds to a data breach: (1) avoid, or at least mitigate, any legal and regulatory trouble; and, (2) more importantly, minimize the impact of the breach on the company’s overall business. (see related data breach discussions) The only way your company can achieve these goals is to be proactive by getting prepared before the inevitable occurs–the breach.

If your company is prepared, it is in a much better position to minimize the loss of data, be better able to respond to the breach, and demonstrate to the legal and regulatory authorities that it acted reasonably in protecting its data, which can be very helpful in minimizing the legal and regulatory repercussions, which is the first step. By being prepared and better able to address the first step, the company is then able to focus more of its efforts on polishing its response to be more palatable for its customers and better addressing their feelings and concerns. In other words, if the company is prepared, it is not panicking and scrambling just to get out a response–any response–but instead can take the time to analyze the situation through its customers’ eyes and provide a much better response that takes their feelings and concerns into consideration. This is the vital step because this is what helps preserve the company’s customer relationships.

The best way to be prepared for this is for your company to have a thorough and custom data breach incident response plan. The data breach incident response plan should be tailored to fit your company in many ways, including the following ways just to name a few:

  • the nature of your company’s culture, both internally and externally
  • the nature of your company’s customers
  • the nature of your company’s products or services
  • the nature of your company’s operations and management structure
  • the type, volume, and sensitivity of the data your company collects and retains
  • the security measures your company has in place
  • the resources your company has to devote to data security issues
  • the security standards of your company’s particular industry

Could you figure these things out on your own, with enough time and effort? Probably so — but would that really be efficient? More importantly, and I can not over-emphasize this point enough: You need an attorney to assist you with many of these things because, when done under the guidance of an attorney and if the proper formalities are observed, much of the process can be protected by the attorney-client privilege, but not if you don’t have an attorney assisting with the process.

Help is Only a Telephone Call Away

I have assisted many companies with data security issues from assessing their cybersecurity and data privacy strengths and vulnerabilities, helping them implement policies and procedures for better securing their data, preparing data breach incident response plans, leading them through responses to a data breach, and litigating disputes that have arisen from data breaches. When it comes to cybersecurity and data privacy, I see the whole playing field. If you have questions about how you can help better prepare your company, please feel free to give me a call (214.472.2135) or email me (shawn.tuma@solidcounsel.com).

Fifth Amendment Permits Police To Force Users to Unlock iPhones With Fingerprints, But Not Passcodes

digital fingerprintsThe Fifth Amendment does not prohibit the police from forcing users to provide a fingerprint to unlock a mobile device but it does prohibit them from forcing users to provide a passcode.

This was the ruling of a District Court in Virginia.

The court’s rationale is that the Fifth Amendment does not protect against providing physical or tangible information to further an investigation, such as DNA evidence or a physical key, but it does protect a defendant from having to provide information that must be communicated because by communicating that information, the defendant would be testifying against himself.

Read more: Court Rules Police Can Force Users to Unlock iPhones With Fingerprints, But Not Passcodes – Mac Rumors.

So, your business has never had a data breach? Have you ever had an employee leave?

i quitTAKEAWAY: Businesses must protect their data from being taken by anyone who is not authorized to have it — insiders and outsiders alike. If their data is taken in a way that is unauthorized, it is a data breach. When a former employee leaves with a thumb drive, Gmail inbox, or Dropbox of your businesses’ data, that person is then an unauthorized person in possession of your businesses’ data and that is a [YOU FILL IN THE BLANK].

The Problem

Businesses lose employees everyday for various reasons. When an employee is leaving it is not uncommon for them to think something like this:

  • “I did a really great job on that project, that’s really my work, not Tyrannaco’s.”
  • “I brought those customers to Tyrannaco, they are really my customers.”
  • “I did such a great job on that proposal that I am going to keep a copy for a form in case I ever need to do one again.”
  • “The stupid management at Tyrannaco never recognized the value of what I brought to the table — I need to let these people know that I was really the one doing all of the work.”
  • “I always keep a copy of everything I do, that way if it gets lost, I always have a backup copy.”

… and with those rationalizations, and infinitely more, we all know what happens next. The employee decides to keep their own copy of your businesses’ data, including all of the sensitive private information that your businesses’ customers have entrusted to you for your safekeeping. And then the employee decides to open their own business or go to work for one of your competitors and guess what they’ll bring with them …

Let’s summarize: Your customers entrusted your business with their sensitive information, which was taken from your business and is now in the hands of someone else. You, my friend, have been breached!

Now the next section tells you why you should care. I’ll leave it at that, you get the point.

Overview of Texas’ Data Breach Notification Law

Texas’ data breach notification law is titled “Notification Required Following Breach of Security of Computerized Data” and is found at Section 521.053 of the Texas Business and Commerce Code. The main body of the law provides as follows:

(b)  A person who conducts business in this state and owns or licenses computerized data that includes sensitive personal information shall disclose any breach of system security, after discovering or receiving notification of the breach, to any individual whose sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized person.  The disclosure shall be made as quickly as possible, except as provided by Subsection (d) or as necessary to determine the scope of the breach and restore the reasonable integrity of the data system.

What is a “breach of system security”?

The law defines “breach of system security” as the “unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of sensitive personal information maintained by a person, including data that is encrypted if the person accessing the data has the key required to decrypt the data.”

What is “sensitive personal information”?

The law has a fairly detailed definition of “sensitive personal information” that should be read carefully. A couple of general points will provide an overview of what is and is not protected:

  • Information that is lawfully made available to the public from a federal, state, or local governmental body is not considered sensitive personal information
  • Sensitive personal information does include “an individual’s first name or first initial and last name in combination with any one or more of the following items, if the name in the items are not encrypted:” Social Security number, driver’s license number or other government issued identification number, account or card numbers in combination with the required access or security codes
  • Also included is information that at that identifies an individual and is related to their health condition, provision of healthcare, or payment for healthcare

Who does the law apply to?

The law applies to any person (which includes entities) who conducts business in Texas and owns or licenses computerized data that includes sensitive personal information.

Who must be notified?

The law requires notification to “any individual whose sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized person.” This is an incredibly broad class of individuals that is certainly not limited to only Texas citizens and, quite possibly, is not even limited to citizens of the United States.

When must the notification be given?

The notification must be given as quickly as possible after it has been determined that an individual’s sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized person. However, the notification may be delayed as necessary to determine the scope of the breach and restore the reasonable integrity of the data system or at the request of law enforcement to avoid compromising an investigation.

What is the penalty for failure notify?

Section 151.151 of the law provides for a penalty for failing to comply with this notification requirement is a civil penalty of up to $100.00 per individual per day for the delayed time but is not to exceed $250,000 for a single breach.

Any more questions?

Law360 article quotes Shawn Tuma on data privacy significance of U.S. v. Cotterman

Tuma's whiteboard notes - U.S. v. CottermanBrittonTuma partner Shawn Tuma was quoted extensively about last weeks’  United States v. Cotterman opinion in a recent Law360.com article titled “9th Circ. Pioneers Laptop Search Limits in Border Case“. Here are excerpts of what Tuma had to say:

“The court is raising the level of the expectation of privacy in data closer to that of someone’s own human body and further away from that of human property, essentially creating a new standard for data and information,” Shawn E. Tuma of Texas-based law firm BrittonTuma said Monday. “Now, if someone is carrying trade secrets or other intellectual property in a device that is seized at the border, that will have a higher expectation of privacy than other property.”
The impact of this new standard on data breach litigation could extend beyond border issues. According to attorneys, courts often dismiss these suits, finding the plaintiffs didn’t suffer any damages in losing control of their personal data.But if more followed the Ninth Circuit’s example, plaintiffs could gain a stronger argument on the value of compromised or misused information, Tuma noted. And employees could use the decision to oppose policies that allow their employer to search personal devices used for business purposes.

“I can see … an argument based on this case, saying that because the Ninth Circuit found that devices at the border are entitled to a greater expectation of privacy, employers should be held to the same reasonable suspicion standard before being allowed to search employee devices,” Tuma said.

Here is a link to the full article: http://www.law360.com/articles/422542/9th-circ-pioneers-laptop-search-limits-in-border-case 

Tuma provided more explanation of these data privacy implications in two other posts:

Podcast Discussing Data Privacy and Information Security Implications of United States v. Cotterman – Now Available!

You can now listen to the podcast for Courts Showing Greater Respect for Data Privacy – United States v. Cotterman. Click HERE!

For a recap, here is my discussion of this podcast and who participated:

I finished a fantastic Skype discussion of the Cotterman opinion with with Rafal Los (@Wh1t3Rabbit) and Mike Schearer (@theprez98). As you may recall from The Law and the Hacker podcast I did a few months ago, Raf is often referred to as the Chief Security Evangelist for HP and blogs at Following the Wh1t3Rabbit – Practical Enterprise Security. Mike is a security consultant and penetration tester by day and a law student and hacker by night who blogs at Mike’s Blog and wrote a nice post on the Cotterman opinion: Law in Plain English: United States v. Cotterman You should know how seriously the three of us take this issue since this is how we spent our Saturday night! Raf has turned our discussion into a podcast that is available HERE. So, much of what I would write in the blog is in the podcast so I will keep this post as short as possible.

If you have any questions or would like to talk computer fraud, data security or privacy, please feel free to give me a call (469.635.1335) or email me (stuma@brittontuma.com).