Businesses Beware: You need to understand and adopt EMV / Chip-and-PIN Technology

“Visa, MasterCard, Discover, American Express and their banking partners have set a government-enforced deadline of Oct. 15 for a “liability shift” that, for the first time, would make merchants liable for fraudulent charges that result from using point-of-service readers that can’t read chip-and-pin EMV cards. The issuers have been implementing the technology, but it’s still up to companies including Home Depot, Target, Neiman Marcus and others to implement it or be held responsible for fraud resulting from continued use of magnetic strips.”

This quote comes from, Chip-and-PIN Procrastination Is Endangering Your Credit Card, an excellent article that goes into great detail to explain this technology, why you need it, and why the security benefits outweigh the inconvenience factor.

Is Your Mobile Device Secure? Find Out With the FCC’s New Tool

Data security is a hot issue right now. Given the increasing popularity and prevalence of mobile devices combined with their ability to easily store and access so much of our sensitive data, mobile device security is even hotter. The Federal Communications Commission (FCC) also recognizes the importance of this issue and now offers a free tool to help you better secure that smart phone or tablet that goes everywhere you go.

Think about it. If you are reading this there is little doubt that you own a smart phone or tablet, or both.  Now ask yourself a couple of questions:

  • Does it have any sensitive information stored on it that you would not want to openly share with others?
    • any embarrassing emails or text messages?
    • any pictures you wouldn’t want to show to the world?
    • any confidential notes or appointments?
  • Does it have the ability to access other sources of information that you would not want to openly share with others?
    • does it have online banking apps or other financial apps?
    • does it have an app to remotely access your other computers?
    • does it have access to your company’s network and the sensitive information it contains?
    • does it have access all of your (and your company’s) business contacts?
    • does it have any online shopping apps?

You get the picture — and so does the FCC as it explains along with many useful stats on its Official FCC Blog. That is why the FCC recently released the FCC Smartphone Security Checker. There is no cost to use the tool, all you have to do is click on the hyperlink and follow the instructions. There are customized tools for Android, iOS, BlackBerry, and Windows devices. Go check out the tool and make sure your mobile device is safe and secure — or at least as safe and secure as reasonably possible!

If you would like to talk with me about legal issues concerning data security or privacy, please feel free to give me a call (469.635.1335) or email me (

-Shawn E. Tuma

Guarding Against Idiocy (2 of 2)

(Part 2 of 2)

A few days ago I posted Guarding Against the Inside Job which was the first half of this thought — today’s post is part 2 — the fun one: Idiocy! Many of you already know that this name resembles that of one of my favorite movies. Need a hint?


Yep, Idiocy and Idiocracy are pretty close but they essentially mean the same thing: people doing really dumb things. This is the fun one, not just because of the name, but because we have all seen it and perhaps even fallen for it a time or two. This is where someone within the company just does something that’s dumb and, by doing it, opens the door for an outsider — a real “hacker” — to come in and have his way with the company computer system.

Let me start by asking you this simple question:

Have you ever heard of Stuxnet?

It is only the first known militarized use of a computer worm — the most advanced and sophisticated computer worm the world has ever seen. This is the one that took out Iran’s nuclear centrifuges. Now do you remember?

What is even more interesting about Stuxnet is, despite all of its sophistication, it couldn’t get into Iran’s nuclear facility on its own — it needed some help. By most accounts it found it in the form of a USB stick that someone working in the facility brought in and plugged into a computer in the facility. That was all of the help Stuxnet needed and it took care of the rest itself. If you want to read more about this, check out Hamish Barwick’s (@HamishBarwick) fascinating article Nuclear warheads could be next Stuxnet target — it is guaranteed to send a chill down your spine!

The point about the USB stick should send chills down the spine of every company out there as well. Do you want to take a guess at how much this happens at your company?

If you haven’t done a study to find out, that’s ok, you’re in luck. The United States Department of Homeland Security did one for you to find out how hard it is to corrupt workers and gain access to organizations’ computer systems. This is all explained in an article written by Cliff Edwards (, Olga Kharif (, and Michael Riley( in Bloomberg entitled Human Errors Fuel Hacking as Test Shows Nothing Stops Idiocy in which the authors provide a quote from Mark Rasch that sums it all up nicely:

“There’s no device known to mankind that will prevent people from being idiots”

In the article the authors explain the test by which computer disks and USB thumb drives were secretly dropped in the parking lots of government buildings and private contractors. Of those that were picked them up, 60 percent were plugged into office computers and if they had an official logo, 90 percent were installed.

You really need to read the extensive and very informative article. The ultimate finding was that human error alone can essentially nullify all of the expensive security systems your company has in place; humans are the weak link in the fight to secure networks against hackers.

From everything we have seen so far, that is indeed the case. So the question you have to ask yourself is, “are your people as well prepared as your network?”

Key Points of New California Data Breach Law – A Model for Others?

California Route Marker

Image via Wikipedia

California’s prior data breach law was the first in the nation and turned out to be a model that other states used for their own data breach laws. Whether the new law will have that same effect remains to be seen but, just in case, here is the 30,000 feet view of what it does:

A copy of the new statute, SB 24, essentially does the following:

  • Applies to anyone in California that owns or licenses computer data containing non-public personal information (last name + first name or initial + SS#, DL#, ID#, acct, debit, access #s, medical info, or health ins info)
  • Applies upon discovery or notification of a data breach of “unencrypted personal information”
  • Requires notice (written/electronic/posting) in the most expedient time possible and without unreasonable delay
  • Requires that data breach notifications specifically contain
    • general description of the incident
    • type of information breached
    • time of the breach, and
    • toll-free telephone numbers and addresses of the major credit reporting agencies in California
    • whether notification was delayed because of law enforcement
  • Requires data holders to send a copy of the notice to the Attorney General if the breach affects more than 500 people in California
  • (and a few more pages of details I didn’t cover)

Most of this information was taken from a nice article was written by Tanya Forsheit of InfoLawGroup entitled California Amends Data Breach Law – For Real This Time. Go check it out, this could be a model for things to come!

Minimizing the risk of employee data breach and privacy mischief in the cloud

Employees can get into quite a bit of mischief when they have access to the company’s data — especially disgruntled employees, as we saw in yesterday’s blog Computer Fraud and Abuse Act – great tool for taming an employee that’s gone off the deep end!. The mischief they can get into is increased exponentially with the ease and convenience of the cloud which also makes discovering it much harder.

It is important that companies maintain control over this potential problem. In addition to the traditional competitive reasons that that we are all familiar with, when an employee compromises the private data of others that the company maintains, it triggers all of the privacy and data breach concerns that we now hear so much about all over the news.

This is serious and can be devastating to a company. What is worse, as an attorney focused on helping companies address these kinds of concerns, I can tell you one thing for sure: if you do not know it’s happening, you can not do a thing about it!

Consider, for example, the subject of yesterday’s blog which was the case Wells Fargo Bank, NA v. ClarkIn that case the employee had to resort to more traditional means of obtaining the data by storing it on his company laptop which he then refused to return for over a month. And, when he did, it was virtually destroyed though with skilled computer forensics they were able to retrieve enough of the data to reveal what he had been doing. But,

What if they had not regained possession of the laptop?

What if they had not been able to obtain from that laptop the data showing that he had posted its confidential information on the internet?

That is exactly the point of an insightful blog on Securosis (@securosis) written by Rich Mogull that is entitled Detecting and Preventing Data Migrations to the Cloud. Rich offers a nice explanation of the problem:

One of the most common modern problems facing organizations is managing data migrating to the cloud. The very self-service nature that makes cloud computing so appealing also makes unapproved data transfers and leakage possible. Any employee with a credit card can subscribe to a cloud service and launch instances, deliver or consume applications, and store data on the public Internet. Many organizations report that individuals or business units have moved (often sensitive) data to cloud services without approval from, or even notification to, IT or security.

Fortunately, Rich tells companies how they can help mitigate these risks in two steps:

1.   Monitor for large internal data migrations with Database Activity Monitoring (DAM) and File Activity Monitoring (FAM).

2.   Monitor for data moving to the cloud with URL filters and Data Loss Prevention.

He then goes on to explain exactly what each of the above mean and how companies can do it. I encourage you to read the full blog post.

This is good advice that companies need to implement. Remember, if you don’t know what your employees are doing with your data or if you don’t know who’s doing it, there isn’t a thing you can do legally to stop it. As Rich observed, this solution isn’t perfect, however, these suggestions are a great way to help protect your data and, should that data be compromised, be in a position to find out who was responsible.

The legal influence of today’s CIO

In today’s companies the sphere of influence of CIOs is dramatically increasing vis-a-vis other C-Suite executives. This point was nicely made in a blog I read earlier this morning entitled CIO’s Seven Points of Key Influences that was written by Pearl Zhu. I believe that influence is even broader and also includes influence over legal issues as well.

Pearl’s post discusses the seven points of CIO’s influences: Strategy, Innovation, Technology, Culture, Talent, Sustainability, and Influencer. In fact, Pearl appropriately describes the CIO as being the Chief Influence Officer:

“Chief influence officer is the most persistent persona for CIO in 21st century, since the technology is ubiquitous in information age, however, the traditional big-box hardware style of IT infrastructure is disappearing, and more invisible digitized IT backbone based on Cloud computing is emerging, modern CIO is no longer just a chief infrastructure officer to manage back-office of functional IT, the strategic role is more based on the influence made across the organizational boundary, from innovation to sustainability, from talent management to cultural transformation.”

I agree! I would encourage you to read her blog as her arguments are convincing. But, I would also add an eighth:


Few would disagree that data breach has been one of the leading news stories of the year. This is not going to change any time soon as we continue to learn about more and more data breaches on a daily basis. When a company is hit with a data breach, it can cause catastrophic harm to the company’s bottom line in many ways because of the legal implications associated with the breach, whether it be an internal breach or the more notorious external hacking.

These events can be so substantial that they can threaten the very life of the company. Who other than the CIO is best equipped to understand the technical and practical side of these issues? Just consider the follow issues, which are becoming more and more common issues that companies need to address in the Information Age:

  • Securing the network from outside intrusion;

  • Determining appropriate insurance coverage to protect against data breach and privacy risk;

  • Developing appropriate policies for computer access and use;

  • Integrating technological restrictions on access to certain information;

  • Developing and implementing systems for monitoring or, at least, recording certain activities on the computer network; and

  • Securing and preserving reliable information for investigators concerning what information is compromised and, when possible, securing all available data to potentially track the intruder.

These are just a few of the issues that I thought of based upon recent “real world” events — I am sure you can think of many more. Come on, help me out here — tell me in the comments what other legal issues you can think of!

Oh, and there is one more — one that is particularly important: Last, but not least, the CIO can a great help in  finding great outside legal counsel to assist with handling all of these issues!