Yes, I will mention this post in tomorrow’s seminar on data breach! “Who’s Gonna Get It?”

This is one of my favorite and my most popular posts ever — and you better believe I will find a way to mention it to this group of CEOs to help them understand why it is important to take seriously the data security threat!

Data Breach – Who’s Gonna Get It? | business cyber risk | law blog.

 

Podcast: DtR NewsCast of Hot Cyber Security Topics

I had the pleasure of joining the DtR Gang for another podcast on Down the Security Rabbit Hole and, as usual with this bunch, it was more fun than anything — but I learned a lot as well. Let me just tell you, these guys are the best around at what they do and they’re really great people on top of that!

This episode had the usual suspects of Rafal Los (@Wh1t3Rabbit), James Jardine (@JardineSoftware), and Michael Santarcangelo (@Catalyst), though James was riding passenger in a car and could only participate through IM. Also joining as a guest along with me was was  Philip Beyer (@pjbeyer).

Go check out the podcast and let us know what you think — use hashtag #DtR on Twitter!

Thank you Raf, James, Michael and Phil — this was a lot of fun!

Podcast: CFAA, Shellshock and Cyber Security Research — What the Heck Do We Want?

Today I had a blast doing a podcast on the CFAA, Shellshock, and cyber security research with Rafal Los (@Wh1t3Rabbit), James Jardine (@JardineSoftware), and Michael Santarcangelo (@Catalyst) — in fact, we had so much fun that I suspect Raf had quite a time trying to edit it!

The starting point for our discussion was a recent article written by security researcher and blogger Robert Graham (@ErrataRob) titled Do shellshock scans violate CFAA?

As I mentioned on the show, when I first saw Robert’s article, I viewed it with skepticism. However, after actually reading it (yeah, I know — makes sense, right?), I found the article to be very well written, sound on the principles and issues of the CFAA — in my view, Robert did a great job of framing some key issues in the debate that definitely needs to happen.

From the article, our discussion expanded to a general discussion of the Computer Fraud and Abuse Act, its confusion as to application to “security research,” and whether it is even possible for Congress to “fix” the CFAA.

I do not think Congress is able to “fix” the CFAA right now for many reasons. However, I believe we pointed out some additional issues that must be taken into consideration during the public debate in determining what we as a society really value and want on these issues. Until “we the people” can figure that out, I see no way for Congress to “fix” this law which means the Common Law method is what we are left with.

Anyway, this post is just skimming the surface — Raf turned this into a really nice podcast so check it out: Down the Security Rabbithole.

Thank you Raf, James and Michael — this was a lot of fun!

Uncle Sam doesn’t have a clue on data privacy, cyber crime laws, and neither do we!

©2011 Braydon Fuller

©2011 Braydon Fuller

The point of the article that is the source of the quote below is exactly right: there is no consistency, cohesiveness, or harmony with the cyber crime and data privacy laws. I believe there are several reasons but these are the two that are most prominent:

  • The cyber crime and data privacy laws are a patchwork collection of laws that have been enacted based upon reactionary fears over a vast amount of time, each in response to a particular “concern of the day” without taking into account the other laws or the possible evolution of the issues and technology they seek to redress. Imagine trying to paint a painting after blindfolding yourself and then only using “dot by dot” with the tip of the brush to make the painting — no strokes (seriously, try it).
  • We, as a society, do not yet know what we really value.
    • On one hand, we want to protect our own information when it is in the custody of others yet, on the other hand, also disclose much of our own information through public channels yet keep others from using that information for purposes we do not like.
    • On one hand, we want to protect other people’s information yet, on the other hand, we want to freely exercise our perceived rights to free access to information (even when it may legally belong to others).
    • On one hand, we want to have a secure information system that allows for vibrant eCommerce that is protected by laws prohibiting people from “hacking” that information, yet on the other hand, we want to protect the rights of the good “hackers” who do security testing and are necessary to ensure that information system is secure.
    • On one hand, we want to punish those who have our information, try to protect it, yet have others hack them and steal it while, on the other hand, support those who are hacking to steal such information, while, on yet another hand (or foot), freely give our information to others and then punish them for using it in ways we do not like.
    • … and the list could go on … (for more, see Hunter Moore or Aaron Swartz: Do we hate the CFAA? Do we love the CFAA? Do we even have a clue?)

Anyway, here is the article that got me thinking about this at 4:00 in the morning:

Uncle Sam has gotten his wires crossed on internet data privacy. A hacker went to prison for exposing private customer information that AT&T failed to protect from online access. Now U.S. prosecutors are defending their right to do essentially the same thing in the Silk Road drug-website case. Anti-hacking laws are tough to take seriously when even enforcers can’t decide what’s allowed.

via Uncle Sam gets wires crossed on data privacy.

Data Breach Judgment: Will Home Depot Be the One to “Get It”?

Will Home Depot be the one to "get it"?Will Home Depot be the one that’s “gonna get it”?

Based upon the information we are learning, it could be.

Way back in 2011 I wrote Data Breach — Who’s Gonna Get it? and it scared people. For good reason. In that piece I wrote of how one day, in the future, a company would come along that had clear and unequivocal knowledge of the risk posed by data breach and, despite that knowledge, ignored it.

Then, because it knew of the risks, but chose to ignore those risks, there would be no forgiveness when its time for judgment came and it would have to pay the price for ignoring this risk.

I expected that judgment to come from a jury. Data breach lawsuits based on privacy rights are are having a difficult time in the courts because the plaintiffs are unable to show they suffered any actual harm. However, enterprising lawyers are finding a way around these impediments by looking to companies’ contractual documents and websites to find things such as Privacy Policies, Terms of Service, and other literature making representations about security and using those documents to serve as the premise for deceptive trade practices claims. A case against Home Depot just may be able to get to a jury on these types of claims.

Or, the judgment could — and likely will — also come from elsewhere such as the FTC or attorneys general of many states.

If true, there will be a price to pay

Regardless of where it comes from, the ultimate price that Home Depot pays for this data breach could be of record proportions and make the costs Target paid for its breach pale in comparison. Why?

Because, according to the statements below, Home Depot knew the risks, was fully aware of scope of the risks, knew the consequences of those risks, could have taken steps to mitigate those risks, but instead, it consciously ignored them. If these statements prove to be accurate, sit back and get ready to watch because this one could get interesting:

The risks were clear to computer experts inside Home Depot: The home improvement chain, they warned for years, might be easy prey for hackers.

But despite alarms as far back as 2008, Home Depot was slow to raise its defenses, according to former employees. On Thursday, the company confirmed what many had feared: The biggest data breach in retailing history had compromised 56 million of its customers’ credit cards. The data has popped up on black markets and, by one estimate, could be used to make $3 billion in illegal purchases.

via Ex-Employees Say Home Depot Left Data Vulnerable – NYTimes.com.

3 Steps the C-Suite Can Take to Strengthen Cyber Security

NTCC 1The C-Suite is ultimately responsible for failures of a company’s cyber security. A recent example of this is how Target’s CEO, CTO, and several Board Members were pushed out in the wake of its data breach.

SEE BELOW FOR EVENT REGISTRATION!

This puts leaders in a difficult position. It is almost a statistical certainty that every company will suffer a data breach sooner rather than later. Does that mean that most C-Levels and Directors are on the verge of losing their positions because of a data breach? Does it mean that their careers and future are now out of their control?

No, it does not have to mean either of those things. There are steps leaders can take to help minimize the risk of these things happening, both to themselves and their companies.

Leaders will be Judged, but by What Standard?

Because statistics show that virtually all companies will eventually suffer some form of data breach, the standard by which their leadership is judged is not whether their company did or did not suffer a data breach. That is now a given.

Rather, the standard is whether, prior to a breach, the company had taken reasonable steps to protect its systems and data and whether it made appropriate plans to respond and mitigate the effects of such a breach.

Because the risk is foreseeable, the question is one of preparation. That is, did the leaders act reasonable in preparing their companies now that they are aware of the risks their companies face. If they did, they have much better odds. If they did not, they will be judged harshly.

How can leaders help prepare their companies for these challenges?

The 3 Steps

To prepare their companies, the C-Suite must show leadership on this issue by setting a tone for the company and establishing a culture of compliance when it comes to cyber security. This must come from the top down. There are three steps that leadership can take that will help create that culture:

  1. Leadership must truly care about cyber security and the digital business risks their company faces;
  2. Leadership must show its concern and commitment by dedicating appropriate resources for cyber security and minimizing digital business risks; and
  3. Leadership must listen to those responsible for, and who work most closely with, cyber security issues. By listening, leadership reaffirms its concern and commitment to a culture of compliance for cyber security. Leadership also increases its knowledge and understanding of the nature of the cyber security threats and the digital business risks the company faces.

Where Can Leaders Start?

The starting point for members of the C-Suite and Boardroom is to gain a better appreciation and understanding of the risks their companies face. There is a great opportunity for them to do this by attending an upcoming seminar sponsored by the North Texas Crime Commission.

The seminar, Strengthening the Weak Link: Cyber Security Essentials for the C-Suite, will be held at the George W. Bush Institute at Southern Methodist University on October 16, 2014.

The keynote speaker will be Tom Ridge, former Secretary of Homeland Security. There are several other notable speakers who will be sharing their knowledge of these risks, including members of the cyber units of the FBI, Secret Service, United States Department of Justice, and many others.

Register for the event on Eventbrite by clicking HERE! 

NTCC Cyber Security SeminarNTCC 3

NTCC 4

3 Important Questions the State Attorneys General Will Ask Your Company Following A Data Breach

shutterstock_67743352

In an earlier blog post I wrote about how

[w]hen your company has a data breach, these are the top 3 questions that you will be required to answer:

  1. How did the breach happen?
  2. What steps did your company take before the breach to protect the data and keep it from happening?
  3. What steps is your company taking after the breach to ensure this does not happen again?

These 3 questions serve as the framework for how you need to think about your company’s data security policies, procedures, and systems. (3 Important Questions Your Company Must Answer After A Data Breach | Shawn E. Tuma).

One of the main sources of these questions will be the Attorneys General of the states whose residents’ information was compromised in the data breach. In helping clients respond to data breach events in recent years, I have seen a tremendous increase in the level of interest and depth of inquiry from the AG’s offices within the last year and I expect this trend to continue.

This hunch seems to have some support from a recent article in Time discussing the response to the recent eBay data breach:

Attorneys General in three U.S. states along with European officials are investigating a massive data breach at eBay which may have compromised more than 100 million users’ passwords.

“The magnitude of the reported eBay data breach could be of historic proportions, and my office is part of a group of other attorneys general in the country investigating the matter,” said Florida Attorney General Pam Bondi in a statement Thursday.

The Federal Trade Commission and Attorneys General in Illinois and Connecticut have also vowed to conduct a probe into the incident.

“My office will be looking into the circumstances surrounding this breach as well as the steps eBay is taking to prevent any future incidents,” said Connecticut Attorney General Jepsen in a statement Thursday. “However, the most important step for consumers to take right now is to change their password and to choose a strong, unique password that is not easily guessed.”

(via Investigators Target eBay Over Massive Data Breach)

At this point, the article only mentions the AGs from 3 states — but my hunch tells me there will be a lot more involved before the dust has settled. What do you think?

About the author

Shawn Tuma is a lawyer who is experienced in advising clients on complex digital information law and intellectual property issues. These issues include things such as trade secrets litigation and misappropriation of trade secrets (under common law and the Texas Uniform Trade Secrets Act), unfair competition, and cyber crimes such as the Computer Fraud and Abuse Act; helping companies with data security issues from assessing their data security strengths and vulnerabilities, helping them implement policies and procedures for better securing their data, preparing data breach incident response plans, leading them through responses to a data breach, and litigating disputes that have arisen from data breaches. Shawn is a partner at BrittonTuma, a boutique business law firm with offices near the border of Frisco and Plano, Texas which is located minutes from the District Courts of Collin County, Texas and the Plano Court of the United States District Court, Eastern District of Texas. He represents clients in lawsuits across the Dallas / Fort Worth Metroplex including state and federal courts in Collin County, Denton County, Dallas County, and Tarrant County, which are all courts in which he regularly handles cases (as well as throughout the nation pro hac vice). Tuma regularly serves as a consultant to other lawyers on issues within his area of expertise and also serves as local counsel for attorneys with cases in the District Courts of Collin County, Texas, the United States District Court, Eastern District of Texas, and the United States District Court, Northern District of Texas.