Yes, I will mention this post in tomorrow’s seminar on data breach! “Who’s Gonna Get It?”

This is one of my favorite and my most popular posts ever — and you better believe I will find a way to mention it to this group of CEOs to help them understand why it is important to take seriously the data security threat!

Data Breach – Who’s Gonna Get It? | business cyber risk | law blog.

 

“Defense wins championships” when preparing for the inevitable data breach

“The best strategy to manage the inevitable data breach of your enterprise is to be prepared.” -Adam Greenberg, SC Magazine

Exactly–you must prepare on 2 fronts: Defense & Response

In a recent article in SC Magazine, Adam Greenberg marches along faithfully with many of us in trying to get you, the business leader, to appreciate the severe risk that data breaches pose to your business. He starts by repeating the old data breach proverb, “It is not a matter of if, but when,” which readers of this site have heard many times before.

It is now a given that every enterprise either already has been, or will be, the victim of a data breach. It’s just life in the digital age, get used to it.

More importantly, prepare for it. A data breach can be either (1) a catastrophic event that threatens the very existence of your enterprise, or (2) just another adversity that your enterprise faces, manages, and learns from along its journey to success.

The choice is yours and is determined by whether you stick your head in the sand and ignore the risk or prepare for it. The first step you must take is to decide that you will not ignore this threat and that you will prepare for it. This is the most difficult step for many business leaders but, once we get past it, we start making progress.

Preparing for a data breach requires preparing a defensive strategy and a responsive strategy.

Preparing to Defend

-Defense Wins Championships-“Offense sells tickets; Defense wins championships” -Coach Paul “Bear” Bryant Jr.

When we talk about preparing for a data breach, some people jump the gun and start thinking about how they will respond. This loses sight of the primary objective–your duty–PROTECTING THE DATA which, necessarily, requires defending your system.

The top priority for your enterprise is to take steps to assess and strengthen its cyber security posture. Then, the deficiencies that are identified must be corrected (there are always deficiencies). And don’t forget to document the steps that are taken (here is why).

Preparing to Respond

After you have prepared your defensive strategy, the next step is to prepare for responding to the inevitable data breach. Every enterprise needs a data breach response strategy that is documented in a written breach response plan (here is why).

The breach response plan needs to be comprehensive, readily accessible in an emergency, and everyone needs to be trained on their roles in the plan. You can read more about breach response plans here.

Fortunately, this process is not as intimidating as it may sound. The most difficult part is that you must decide that you will make sure your enterprise is prepared for this risk. After you make that decision, a qualified adviser who has helped other enterprises prepare for these situations can guide you through the process.

Learn more about the author’s unique CyberGard–Cyber Risk Protection Program.

 

Source of original article: Plan ahead: Prepare for the inevitable data breach – SC Magazine.

 

Uncle Sam doesn’t have a clue on data privacy, cyber crime laws, and neither do we!

©2011 Braydon Fuller

©2011 Braydon Fuller

The point of the article that is the source of the quote below is exactly right: there is no consistency, cohesiveness, or harmony with the cyber crime and data privacy laws. I believe there are several reasons but these are the two that are most prominent:

  • The cyber crime and data privacy laws are a patchwork collection of laws that have been enacted based upon reactionary fears over a vast amount of time, each in response to a particular “concern of the day” without taking into account the other laws or the possible evolution of the issues and technology they seek to redress. Imagine trying to paint a painting after blindfolding yourself and then only using “dot by dot” with the tip of the brush to make the painting — no strokes (seriously, try it).
  • We, as a society, do not yet know what we really value.
    • On one hand, we want to protect our own information when it is in the custody of others yet, on the other hand, also disclose much of our own information through public channels yet keep others from using that information for purposes we do not like.
    • On one hand, we want to protect other people’s information yet, on the other hand, we want to freely exercise our perceived rights to free access to information (even when it may legally belong to others).
    • On one hand, we want to have a secure information system that allows for vibrant eCommerce that is protected by laws prohibiting people from “hacking” that information, yet on the other hand, we want to protect the rights of the good “hackers” who do security testing and are necessary to ensure that information system is secure.
    • On one hand, we want to punish those who have our information, try to protect it, yet have others hack them and steal it while, on the other hand, support those who are hacking to steal such information, while, on yet another hand (or foot), freely give our information to others and then punish them for using it in ways we do not like.
    • … and the list could go on … (for more, see Hunter Moore or Aaron Swartz: Do we hate the CFAA? Do we love the CFAA? Do we even have a clue?)

Anyway, here is the article that got me thinking about this at 4:00 in the morning:

Uncle Sam has gotten his wires crossed on internet data privacy. A hacker went to prison for exposing private customer information that AT&T failed to protect from online access. Now U.S. prosecutors are defending their right to do essentially the same thing in the Silk Road drug-website case. Anti-hacking laws are tough to take seriously when even enforcers can’t decide what’s allowed.

via Uncle Sam gets wires crossed on data privacy.

Data Breach Judgment: Will Home Depot Be the One to “Get It”?

Will Home Depot be the one to "get it"?Will Home Depot be the one that’s “gonna get it”?

Based upon the information we are learning, it could be.

Way back in 2011 I wrote Data Breach — Who’s Gonna Get it? and it scared people. For good reason. In that piece I wrote of how one day, in the future, a company would come along that had clear and unequivocal knowledge of the risk posed by data breach and, despite that knowledge, ignored it.

Then, because it knew of the risks, but chose to ignore those risks, there would be no forgiveness when its time for judgment came and it would have to pay the price for ignoring this risk.

I expected that judgment to come from a jury. Data breach lawsuits based on privacy rights are are having a difficult time in the courts because the plaintiffs are unable to show they suffered any actual harm. However, enterprising lawyers are finding a way around these impediments by looking to companies’ contractual documents and websites to find things such as Privacy Policies, Terms of Service, and other literature making representations about security and using those documents to serve as the premise for deceptive trade practices claims. A case against Home Depot just may be able to get to a jury on these types of claims.

Or, the judgment could — and likely will — also come from elsewhere such as the FTC or attorneys general of many states.

If true, there will be a price to pay

Regardless of where it comes from, the ultimate price that Home Depot pays for this data breach could be of record proportions and make the costs Target paid for its breach pale in comparison. Why?

Because, according to the statements below, Home Depot knew the risks, was fully aware of scope of the risks, knew the consequences of those risks, could have taken steps to mitigate those risks, but instead, it consciously ignored them. If these statements prove to be accurate, sit back and get ready to watch because this one could get interesting:

The risks were clear to computer experts inside Home Depot: The home improvement chain, they warned for years, might be easy prey for hackers.

But despite alarms as far back as 2008, Home Depot was slow to raise its defenses, according to former employees. On Thursday, the company confirmed what many had feared: The biggest data breach in retailing history had compromised 56 million of its customers’ credit cards. The data has popped up on black markets and, by one estimate, could be used to make $3 billion in illegal purchases.

via Ex-Employees Say Home Depot Left Data Vulnerable – NYTimes.com.

3 Steps the C-Suite Can Take to Strengthen Cyber Security

NTCC 1The C-Suite is ultimately responsible for failures of a company’s cyber security. A recent example of this is how Target’s CEO, CTO, and several Board Members were pushed out in the wake of its data breach.

SEE BELOW FOR EVENT REGISTRATION!

This puts leaders in a difficult position. It is almost a statistical certainty that every company will suffer a data breach sooner rather than later. Does that mean that most C-Levels and Directors are on the verge of losing their positions because of a data breach? Does it mean that their careers and future are now out of their control?

No, it does not have to mean either of those things. There are steps leaders can take to help minimize the risk of these things happening, both to themselves and their companies.

Leaders will be Judged, but by What Standard?

Because statistics show that virtually all companies will eventually suffer some form of data breach, the standard by which their leadership is judged is not whether their company did or did not suffer a data breach. That is now a given.

Rather, the standard is whether, prior to a breach, the company had taken reasonable steps to protect its systems and data and whether it made appropriate plans to respond and mitigate the effects of such a breach.

Because the risk is foreseeable, the question is one of preparation. That is, did the leaders act reasonable in preparing their companies now that they are aware of the risks their companies face. If they did, they have much better odds. If they did not, they will be judged harshly.

How can leaders help prepare their companies for these challenges?

The 3 Steps

To prepare their companies, the C-Suite must show leadership on this issue by setting a tone for the company and establishing a culture of compliance when it comes to cyber security. This must come from the top down. There are three steps that leadership can take that will help create that culture:

  1. Leadership must truly care about cyber security and the digital business risks their company faces;
  2. Leadership must show its concern and commitment by dedicating appropriate resources for cyber security and minimizing digital business risks; and
  3. Leadership must listen to those responsible for, and who work most closely with, cyber security issues. By listening, leadership reaffirms its concern and commitment to a culture of compliance for cyber security. Leadership also increases its knowledge and understanding of the nature of the cyber security threats and the digital business risks the company faces.

Where Can Leaders Start?

The starting point for members of the C-Suite and Boardroom is to gain a better appreciation and understanding of the risks their companies face. There is a great opportunity for them to do this by attending an upcoming seminar sponsored by the North Texas Crime Commission.

The seminar, Strengthening the Weak Link: Cyber Security Essentials for the C-Suite, will be held at the George W. Bush Institute at Southern Methodist University on October 16, 2014.

The keynote speaker will be Tom Ridge, former Secretary of Homeland Security. There are several other notable speakers who will be sharing their knowledge of these risks, including members of the cyber units of the FBI, Secret Service, United States Department of Justice, and many others.

Register for the event on Eventbrite by clicking HERE! 

NTCC Cyber Security SeminarNTCC 3

NTCC 4

Social Media Law Presentation Slides for MENG Webinar

I recently had the pleasure of presenting a nationally broadcast webinar on social media law to MENG (Marketing Executives Networking Group) which is a national network of top-level marketing executives. You can learn more about MENG by visiting its website and you can learn more about my presentation by visiting MENG’s webpage promoting the webinar.

Thanks to the hard work and experience of the MENG team, the technical aspects of the webinar were very smooth and the participants had fabulous questions that made it even better. Presenting to MENG was a great experience that I really appreciate!

The slides from the presentation titled Social Media Law: It is Real, and, Yes, It Really Can Impact Your Business are available HERE.

 


 

About the author

Shawn Tuma is a lawyer who is experienced in advising clients on complex digital information law and intellectual property issues. These issues include things such as trade secrets litigation and misappropriation of trade secrets (under common law and the Texas Uniform Trade Secrets Act), unfair competition, and cyber crimes such as the Computer Fraud and Abuse Act; helping companies with data security issues from assessing their data security strengths and vulnerabilities, helping them implement policies and procedures for better securing their data, preparing data breach incident response plans, leading them through responses to a data breach, and litigating disputes that have arisen from data breaches.

Shawn is a partner at BrittonTuma, a boutique business law firm with offices near the boarder of Frisco and Plano, Texas which is located minutes from the District Courts of Collin County, Texas and the Plano Courthouse of the United States District Court, Eastern District of Texas. He represents clients in lawsuits across the Dallas / Fort Worth Metroplex including state and federal courts in Collin County, Denton County, Dallas County, and Tarrant County, which are all courts in which he regularly handles cases (as well as throughout the nation pro hac vice). Tuma regularly serves as a consultant to other lawyers on issues within his area of expertise and also serves as local counsel for attorneys with cases in the District Courts of Collin County, Texas, the United States District Court, Eastern District of Texas, and the United States District Court, Northern District of Texas.

What is Corporate Espionage, Industrial Espionage, Cyber Espionage, and Economic Espionage? The DOJ Explains …

Cyber Espionage - fact or fiction?

Cyber Espionage – fact or fiction?

What is Cyber Espionage?

Corporate espionage, industrial espionage, and cyber espionage all generally mean the same thing: (1) intentionally targeting or acquiring trade secrets of companies to benefit any foreign government, foreign instrumentality, or foreign agent, (FBI) which means, in simpler terms, (2) espionage conducted to gain a commercial advantage (Wikipedia).

What is this not? This is not espionage to gain a national security advantage — it is to gain economic advantage. Of course, it could be argued that this is a distinction without a difference as an economic advantage could certainly help on national security matters as well, but that is going down too deep into the weeds. You need to understand the distinction.

I have been writing about cyber espionage for a while,

And, I have spoken about it at seminars where many people probably thought I was making that stuff up — you know, about the big bad conspiracy by foreign governments to steal valuable intellectual property from US businesses to give their countries’ businesses a competitive advantage.

But I have to admit, it is really nice to have validation from a reputable source — the United States Department of Justice.

An Example of Cyber Espionage

This week the news is abuzz about a lawsuit brought by the United States Department of Justice in the United States District Court for the Western District of Pennsylvania against five officers of the Chinese People’s Liberation Army: Wang Dong, Sun Kailiang, Wen Xinyu, Huang Zhenyu and Gu Chunhui.

The Indictment charges the Chinese officers with six offenses:

  1. Conspiring to commit computer fraud and abuse (Computer Fraud and Abuse Act, 18 U.S.C. § 1030(b));
  2. Wrongful access of a protected computer for financial gain (Computer Fraud and Abuse Act, 18 U.S.C. §§ 1030(a)(2)(C), 1030(c)(2)(B)(i)-(iii), and 2);
  3. Wrongful transmission to damage a protected computer (Computer Fraud and Abuse Act, 18 U.S.C. §§ 1030(a)(5)(A), 1030(c)(4)(B), and 2);
  4. Aggravated identity theft (Identity Theft Act, 18 U.S.C. §§ 1028A(a)(1), (b), (c)(4), and 2);
  5. Economic espionage (Economic Espionage Act, 18 U.S.C. §§ 1831(a)(2), (a)(4), and 2); and
  6. Trade secret theft (Trade Secrets Act, 18 U.S.C. §§ 1832(a)(2), (a)(4), and 2).

The Indictment, based off of an FBI investigation, alleges that from 2006 to 2014 the officers actions targeted six US companies (Westinghouse Electric Co. (Westinghouse), U.S. subsidiaries of SolarWorld AG (SolarWorld), United States Steel Corp. (U.S. Steel), Allegheny Technologies Inc. (ATI), the United Steel, Paper and Forestry, Rubber, Manufacturing, Energy, Allied Industrial and Service Workers International Union (USW) and Alcoa Inc.) with hacking into the computer systems of the companies and engaging in the following conduct (see DOJ Summary):

Westinghouse

In 2010, while Westinghouse was building four AP1000 power plants in China and negotiating other terms of the construction with a Chinese SOE (SOE-1), including technology transfers, Sun stole confidential and proprietary technical and design specifications for pipes, pipe supports, and pipe routing within the AP1000 plant buildings.

Additionally, in 2010 and 2011, while Westinghouse was exploring other business ventures with SOE-1, Sun stole sensitive, non-public, and deliberative e-mails belonging to senior decision-makers responsible for Westinghouse’s business relationship with SOE-1.

Solarworld

In 2012, at about the same time the Commerce Department found that Chinese solar product manufacturers had “dumped” products into U.S. markets at prices below fair value, Wen and at least one other, unidentified co-conspirator stole thousands of files including information about SolarWorld’s cash flow, manufacturing metrics, production line information, costs, and privileged attorney-client communications relating to ongoing trade litigation, among other things.  Such information would have enabled a Chinese competitor to target SolarWorld’s business operations aggressively from a variety of angles.

U.S. Steel

In 2010, U.S. Steel was participating in trade cases with Chinese steel companies, including one particular state-owned enterprise (SOE-2). Shortly before the scheduled release of a preliminary determination in one such litigation, Sun sent spearphishing e-mails to U.S. Steel employees, some of whom were in a division associated with the litigation. Some of these e-mails resulted in the installation of malware on U.S. Steel computers. Three days later, Wang stole hostnames and descriptions of U.S. Steel computers (including those that controlled physical access to company facilities and mobile device access to company networks). Wang thereafter took steps to identify and exploit vulnerable servers on that list.

ATI

In 2012, ATI was engaged in a joint venture with SOE-2, competed with SOE-2, and was involved in a trade dispute with SOE-2. In April of that year, Wen gained access to ATI’s network and stole network credentials for virtually every ATI employee.

USW

In 2012, USW was involved in public disputes over Chinese trade practices in at least two industries. At or about the time USW issued public statements regarding those trade disputes and related legislative proposals, Wen stole e-mails from senior USW employees containing sensitive, non-public, and deliberative information about USW strategies, including strategies related to pending trade disputes. USW’s computers continued to beacon to the conspiracy’s infrastructure until at least early 2013.

Alcoa

About three weeks after Alcoa announced a partnership with a Chinese state-owned enterprise (SOE-3) in February 2008, Sun sent a spearphishing e-mail to Alcoa. Thereafter, in or about June 2008, unidentified individuals stole thousands of e-mail messages and attachments from Alcoa’s computers, including internal discussions concerning that transaction.

Does Your Business Have Trade Secrets?

If your business has trade secrets (and it does), you must protect them. To do this you need to take affirmative steps to identify those trade secrets and implement policies and procedures to protect them from disclosure, whether intentionally or unintentionally, by insiders and outsiders alike. I have made it easy for you to get started.

All you need to do is use this free guide that I prepared to walk you through the process and, of course, feel free to let me know if you have any questions along the way: Texas Business Guide: Identifying and Protecting Trade Secrets Under the (New) Texas Uniform Trade Secrets Act

 

 


About the author

Shawn Tuma is a lawyer who is experienced in advising clients on digital business risk which includes complex digital information law and intellectual property issues. This includes things such as trade secrets litigation and misappropriation of trade secrets (under common law and the Texas Uniform Trade Secrets Act), unfair competition, and cyber crimes such as the Computer Fraud and Abuse Act; helping companies with data security issues from assessing their data security strengths and vulnerabilities, helping them implement policies and procedures for better securing their data, preparing data breach incident response plans, leading them through responses to a data breach, and litigating disputes that have arisen from data breaches. Shawn is a partner at BrittonTuma, a boutique business law firm with offices near the border of Frisco and Plano, Texas which is located minutes from the District Courts of Collin County, Texas and the Plano Court of the United States District Court, Eastern District of Texas. He represents clients in lawsuits across the Dallas / Fort Worth Metroplex including state and federal courts in Collin County, Denton County, Dallas County, and Tarrant County, which are all courts in which he regularly handles cases (as well as throughout the nation pro hac vice). Tuma regularly serves as a consultant to other lawyers on issues within his area of expertise and also serves as local counsel for attorneys with cases in the District Courts of Collin County, Texas, the United States District Court, Eastern District of Texas, and the United States District Court, Northern District of Texas.