Podcast: DtR NewsCast of Hot Cyber Security Topics

I had the pleasure of joining the DtR Gang for another podcast on Down the Security Rabbit Hole and, as usual with this bunch, it was more fun than anything — but I learned a lot as well. Let me just tell you, these guys are the best around at what they do and they’re really great people on top of that!

This episode had the usual suspects of Rafal Los (@Wh1t3Rabbit), James Jardine (@JardineSoftware), and Michael Santarcangelo (@Catalyst), though James was riding passenger in a car and could only participate through IM. Also joining as a guest along with me was was  Philip Beyer (@pjbeyer).

Go check out the podcast and let us know what you think — use hashtag #DtR on Twitter!

Thank you Raf, James, Michael and Phil — this was a lot of fun!

Podcast: CFAA, Shellshock and Cyber Security Research — What the Heck Do We Want?

Today I had a blast doing a podcast on the CFAA, Shellshock, and cyber security research with Rafal Los (@Wh1t3Rabbit), James Jardine (@JardineSoftware), and Michael Santarcangelo (@Catalyst) — in fact, we had so much fun that I suspect Raf had quite a time trying to edit it!

The starting point for our discussion was a recent article written by security researcher and blogger Robert Graham (@ErrataRob) titled Do shellshock scans violate CFAA?

As I mentioned on the show, when I first saw Robert’s article, I viewed it with skepticism. However, after actually reading it (yeah, I know — makes sense, right?), I found the article to be very well written, sound on the principles and issues of the CFAA — in my view, Robert did a great job of framing some key issues in the debate that definitely needs to happen.

From the article, our discussion expanded to a general discussion of the Computer Fraud and Abuse Act, its confusion as to application to “security research,” and whether it is even possible for Congress to “fix” the CFAA.

I do not think Congress is able to “fix” the CFAA right now for many reasons. However, I believe we pointed out some additional issues that must be taken into consideration during the public debate in determining what we as a society really value and want on these issues. Until “we the people” can figure that out, I see no way for Congress to “fix” this law which means the Common Law method is what we are left with.

Anyway, this post is just skimming the surface — Raf turned this into a really nice podcast so check it out: Down the Security Rabbithole.

Thank you Raf, James and Michael — this was a lot of fun!

The Law and the Hacker – Podcast on the Computer Fraud and Abuse Act

Not too long ago I had a nice visit with Rafal Los (@Wh1t3Rabbit) who is otherwise known as the Chief Security Evangelist for HP and blogs at Following the Wh1t3Rabbit – Practical Enterprise Security. Raf is one dude you really need to follow if you’re interested in #infosec

Anyway, our discussion was centered around the Computer Fraud and Abuse Act and how it applies to hackers. Raf turned this into a really nice podcast so check it out: Down the Security Rabbithole.

Responsiveness and Responsibility Are Considered in Assessing Data Breach Fines

About a year and a half ago I wrote a post titled Data Breach – Who’s Gonna Get it? where I made the point that, much like with Ford’s “bean counting” with the Pinto deaths back in the ’70s, companies that were aware of the risk of data breach but did not act responsibly were going to get it. The message, that is. While my post anticipated receiving that message from a jury, the point is no different when it comes to having a message sent by the Office of Civil Rights or some other governmental agency. When something bad happens, as it inevitably does, people instinctively want to know whether it was truly an unfortunate circumstance or whether it was because of willful neglect. That is, were they trying to “do right” or did they just not care? If it is the former, they will usually cut you some slack, if the later, you’re going to hang!

This point was confirmed in a recent interview with the Director of the Office of Civil Rights, Leon Rodriguez, who indicated that the OCR will take into consideration how a company responds to a data breach in deciding whether to assess monetary fines.

Rodriguez expects the coming year will see a higher number of data breaches being reported, partly as a precipitate of an increase in data analytics and risk assessment procedures, but adds that entities that respond decisively and responsibly to data breaches most likely won’t be the subject of monetary enforcement.

If you want to read more, check out the full article with Rodriguez’s interview: OCR looking for ‘high level of sensitivity’ in data breaches | Government Health IT.

Don’t let your company be “that company” — now is the time to be proactive in putting policies and procedures in place to help prevent a data breach or, should one occur, be prepared to respond in a responsible way so that your company doesn’t “get the message.” Give me a call or send me an email, I’ll be happy to talk with you about these issues and any others.

-Shawn Tuma (469.635.1335 / stuma@brittontuma.com)

Privacy and Cyber Legislation Pending in the 112th Congress

Computer hacking, data breach, data privacy, and information security have dominated the news lately and created a sense of urgency in Congress to “do something” to fix the problems. Over the last few days I have searched the web for a source to keep me updated on all of the cyber-legislation that is currently pending in the 112th United States Congress. I have been unable to find such a source so I have resorted to a rather crude search of the Library of Congress’ “Thomas” website — this is my first “search” of Thomas for such purposes so I can’t guaranty the accuracy of my research. Since I am going through the trouble myself, however, I thought I would share it with you as well.

The following is an over-inclusive (by a long shot) list of the current legislative initiatives that I have found that appear to be privacy or cyber related. Initially, I went through and linked each bill to its Thomas summary but then, after going through that whole process, learned the hard way that Thomas times out after 30 minutes and the links were useless. As my teenage daughter would say, that was a FAIL! So, we’ll just have to use a work around — go HERE and type in the Bill Number and it will take you to the Thomas page where you can find the text and summary of the legislation as well as track its status and find other helpful information.

H.R.76 : Cybersecurity Education Enhancement Act of 2011

H.R.102 : Photo Identification Security Act

H.R.108 : Voting Opportunity and Technology Enhancement Rights Act of 2011

H.R.174 : Homeland Security Cyber and Physical Infrastructure Protection Act of 2011

H.R.220 : Identity Theft Prevention Act of 2011

H.R.352 : To permit members of the House of Representatives to donate used computer equipment to public elementary and secondary schools designated by the members.

H.R.423 : Member Address Privacy and Protection Act

H.R.427 : To amend the Internal Revenue Code of 1986 to provide a 5-year recovery period for computer-based gambling machines.

H.R.484 : Personal Privacy Clarification Act

H.R.592 : Sunshine in Litigation Act of 2011

H.R.611 : Building Effective Strategies to Promote Responsibility Accountability Choice Transparency Innovation Consumer Expectations and Safeguards Act / BEST PRACTICES ACT

H.R.653 : Financial Information Privacy Act of 2011

H.R.654 : Do Not Track Me Online Act

H.R.685 : Checkpoint Images Protection Act of 2011

H.R.877 : To express the sense of Congress that Federal job training programs that target older adults should work with nonprofit organizations that have a record of success in developing and implementing research-based technology curriculum designed specifically for older adults.

H.R.948 : Embedded Mental Health Providers for Reserves Act of 2011

H.R.1059 : To protect the safety of judges by extending the authority of the Judicial Conference to redact sensitive information contained in their financial disclosure reports, and for other purposes.

H.R.1136 : Executive Cyberspace Coordination Act of 2011

H.R.1187 : Fix HIT Act of 2011

H.R.1261 : Chief Technology Officer Act

H.R.1279 : Aircraft Passenger Whole-Body Imaging Limitations Act of 2011

H.R.1389 : Global Online Freedom Act of 2011

H.R.1509 : Medicare Identity Theft Prevention Act of 2011

H.R.1528 : Consumer Privacy Protection Act of 2011

H.R.1538 : Social Security Identity Defense Act of 2011

H.R.1707 : Data Accountability and Trust Act

H.R.1841 : Data Accountability and Trust Act (DATA) of 2011

H.R.1895 : Do Not Track Kids Act of 2011

H.R.2004 : Technology Security and Antiboycott Act

H.R.2089 : Technology Helps Revamp, Evaluate, and Expedite Designs Act of 2011

H.R.2096 : Cybersecurity Enhancement Act of 2011

H.R.2102: FCC Commissioners’ Technical Resource Enhancement Act

H.R.2125 : Electronic Paycard Protection Act of 2011

H.R.2168 : Geolocational Privacy and Surveillance Act

(Discussion Draft) ‘‘Secure and Fortify Electronic Data Act’’ or the ‘‘SAFE Data Act’’ (Introduced 6/10/11)

H.RES.98 : Expressing the Sense of the House of Representatives that the Commissioner of the Food and Drug Administration should give the greatest weight in making critical policy decisions to readily available hard science data, including evidence from the natural sciences, physical sciences, and computing sciences.

H.RES.175 : Expressing the sense of the House of Representatives that in order to continue aggressive growth in the Nation’s telecommunications and technology industries, the United States Government should “Get Out of the Way and Stay Out of the Way”.

S.1 : American Competitiveness Act

S.8 : Tough and Smart National Security Act

S.21 : Cyber Security and American Cyber Competitiveness Act of 2011

S.193 : USA PATRIOT Act Sunset Extension Act of 2011

S.224 : Stalkers Act of 2011

S.257 : Small Business Broadband and Emerging Information Technology Enhancement Act of 2011

S.290 : USA PATRIOT Act Sunset Extension Act of 2011

S.372 : Cybersecurity and Internet Safety Standards Act

S.413 : Cybersecurity and Internet Freedom Act of 2011

S.539 : Behavioral Health Information Technology Act of 2011

S.611 : FCC TECH Act

S.643 : Fix HIT Act of 2011

S.799 : Commercial Privacy Bill of Rights Act of 2011

S.801 : Information Technology Investment Management Act of 2011

S.813 : Cyber Security Public Awareness Act of 2011

S.848 : Consumer Information Enhancement Act of 2011

S.890 : Fighting Fraud to Protect Taxpayers Act of 2011

S.913 : Do-Not-Track Online Act of 2011

S.1011 : Electronic Communications Privacy Act Amendments Act of 2011

S.1050 : Fourth Amendment Restoration Act

S.1070 : Fourth Amendment Restoration Act

S.1073 : A bill to require the Attorney General to establish minimization and destruction procedures governing the acquisition, retention, and dissemination by the Federal Bureau of Investigation of certain records.

S.1075 : A bill to provide judicial review of National Security Letters.

S.1125 : USA PATRIOT Act Improvements Act of 2011

S.1151 : Personal Data Privacy and Security Act of 2011

S.1152 : Cybersecurity Enhancement Act of 2011

S.1159 : Cyberspace Warriors Act of 2011

S.1199 : Protecting the Privacy of Social Security Numbers Act

S.1207: Data Security and Breach Notification Act of 2011

S.1212 : Geolocational Privacy and Surveillance Act

S.1223 : Location Privacy Protection Act of 2011

S.RES.35 : A resolution expressing support for the designation of January 28, 2011 as National Data Privacy Day.

S.AMDT.141 to S.23 To clarify that section 14 shall not apply to an invention that is a computer program product or system used solely for preparing a tax or information return or other tax filing.

If you find that something is missing and should have been included, please let me know and I’ll make the addition. Better yet, if you know of a website that has this information and keeps it updated, let me know — I’ve never been much on reinventing the wheel!

Personal Data Privacy and Security Act of 2011

On June 7, 2011 Senator Leahy introduced bill S. 1151 in the Senate called the Personal Data Privacy and Security Act of 2011, which is linked HERE. The stated purpose of the bill is as follows:

To prevent and mitigate identity theft, to ensure privacy,
to provide notice of security breaches, and to enhance
criminal penalties, law enforcement assistance, and other
protections against security breaches, fraudulent access,
and misuse of personally identifiable information.”

The proposed bill would, among other things, amend the RICO Act to include violations of the Computer Fraud and Abuse Act (“CFAA”), thus adding a RICOesque twist to the CFAA which is a dream for any lawyer dealing with these issues. This is a significant piece of legislation that comes in at 70 pages and will require some analysis (did I mention I’m getting married this week?) that I fully intend to do … but I haven’t yet! At any rate, I’ll do this the “cheap way” for the time being and provide the Table of Contents of the bill so you can see what it does in general and whether it’s worth your while to dig any deeper. Or, you can just wait for me to dig into it for you! I am sorry for doing this but it is late and I have lots to do so, at any rate, here goes:

TITLE I—ENHANCING PUNISHMENT FOR IDENTITY THEFT AND
OTHER VIOLATIONS OF DATA PRIVACY AND SECURITY
Sec. 101. Organized criminal activity in connection with unauthorized access to
personally identifiable information.
Sec. 102. Concealment of security breaches involving sensitive personally identifiable
information.
Sec. 103. Penalties for fraud and related activity in connection with computers.

TITLE II—DATA BROKERS
Sec. 201. Transparency and accuracy of data collection.
Sec. 202. Enforcement.
Sec. 203. Relation to State laws.
Sec. 204. Effective date.

TITLE III—PRIVACY AND SECURITY OF PERSONALLY
IDENTIFIABLE INFORMATION
Subtitle A—A Data Privacy and Security Program
Sec. 301. Purpose and applicability of data privacy and security program.
Sec. 302. Requirements for a personal data privacy and security program.
Sec. 303. Enforcement.
Sec. 304. Relation to other laws.
Subtitle B—Security Breach Notification
Sec. 311. Notice to individuals.
Sec. 312. Exemptions.
Sec. 313. Methods of notice.
Sec. 314. Content of notification.
Sec. 315. Coordination of notification with credit reporting agencies.
Sec. 316. Notice to law enforcement.
Sec. 317. Enforcement.
Sec. 318. Enforcement by State attorneys general.
Sec. 319. Effect on Federal and State law.
Sec. 320. Authorization of appropriations.
Sec. 321. Reporting on risk assessment exemptions.
Sec. 322. Effective date.

TITLE IV—GOVERNMENT ACCESS TO AND USE OF COMMERCIAL
DATA
Sec. 401. General services administration review of contracts.
Sec. 402. Requirement to audit information security practices of contractors
and third party business entities.
Sec. 403. Privacy impact assessment of government use of commercial information
services containing personally identifiable information.