Here is an excellent presentation from SC Magazine that will help business leaders understand what a major threat data breach is to business: 2012 Data breach review – SC Magazine.
Data security is a hot issue right now. Given the increasing popularity and prevalence of mobile devices combined with their ability to easily store and access so much of our sensitive data, mobile device security is even hotter. The Federal Communications Commission (FCC) also recognizes the importance of this issue and now offers a free tool to help you better secure that smart phone or tablet that goes everywhere you go.
Think about it. If you are reading this there is little doubt that you own a smart phone or tablet, or both. Now ask yourself a couple of questions:
- Does it have any sensitive information stored on it that you would not want to openly share with others?
- any embarrassing emails or text messages?
- any pictures you wouldn’t want to show to the world?
- any confidential notes or appointments?
- Does it have the ability to access other sources of information that you would not want to openly share with others?
- does it have online banking apps or other financial apps?
- does it have an app to remotely access your other computers?
- does it have access to your company’s network and the sensitive information it contains?
- does it have access all of your (and your company’s) business contacts?
- does it have any online shopping apps?
You get the picture — and so does the FCC as it explains along with many useful stats on its Official FCC Blog. That is why the FCC recently released the FCC Smartphone Security Checker. There is no cost to use the tool, all you have to do is click on the hyperlink and follow the instructions. There are customized tools for Android, iOS, BlackBerry, and Windows devices. Go check out the tool and make sure your mobile device is safe and secure — or at least as safe and secure as reasonably possible!
If you would like to talk with me about legal issues concerning data security or privacy, please feel free to give me a call (469.635.1335) or email me (firstname.lastname@example.org).
-Shawn E. Tuma
(Part 2 of 2)
A few days ago I posted Guarding Against the Inside Job which was the first half of this thought — today’s post is part 2 — the fun one: Idiocy! Many of you already know that this name resembles that of one of my favorite movies. Need a hint?
Yep, Idiocy and Idiocracy are pretty close but they essentially mean the same thing: people doing really dumb things. This is the fun one, not just because of the name, but because we have all seen it and perhaps even fallen for it a time or two. This is where someone within the company just does something that’s dumb and, by doing it, opens the door for an outsider — a real “hacker” — to come in and have his way with the company computer system.
Let me start by asking you this simple question:
Have you ever heard of Stuxnet?
It is only the first known militarized use of a computer worm — the most advanced and sophisticated computer worm the world has ever seen. This is the one that took out Iran’s nuclear centrifuges. Now do you remember?
What is even more interesting about Stuxnet is, despite all of its sophistication, it couldn’t get into Iran’s nuclear facility on its own — it needed some help. By most accounts it found it in the form of a USB stick that someone working in the facility brought in and plugged into a computer in the facility. That was all of the help Stuxnet needed and it took care of the rest itself. If you want to read more about this, check out Hamish Barwick’s (@HamishBarwick) fascinating article Nuclear warheads could be next Stuxnet target – it is guaranteed to send a chill down your spine!
The point about the USB stick should send chills down the spine of every company out there as well. Do you want to take a guess at how much this happens at your company?
If you haven’t done a study to find out, that’s ok, you’re in luck. The United States Department of Homeland Security did one for you to find out how hard it is to corrupt workers and gain access to organizations’ computer systems. This is all explained in an article written by Cliff Edwards (email@example.com), Olga Kharif (firstname.lastname@example.org), and Michael Riley(email@example.com) in Bloomberg entitled Human Errors Fuel Hacking as Test Shows Nothing Stops Idiocy in which the authors provide a quote from Mark Rasch that sums it all up nicely:
“There’s no device known to mankind that will prevent people from being idiots”
In the article the authors explain the test by which computer disks and USB thumb drives were secretly dropped in the parking lots of government buildings and private contractors. Of those that were picked them up, 60 percent were plugged into office computers and if they had an official logo, 90 percent were installed.
You really need to read the extensive and very informative article. The ultimate finding was that human error alone can essentially nullify all of the expensive security systems your company has in place; humans are the weak link in the fight to secure networks against hackers.
From everything we have seen so far, that is indeed the case. So the question you have to ask yourself is, “are your people as well prepared as your network?”
- Guarding Against the Inside Job (Part 1 of 2) (shawnetuma.com)
- Mossad’s Miracle Weapon – Stuxnet Virus Opens New Era of Cyber War (irannewpearlharbour.wordpress.com)
- Feature: How digital detectives deciphered Stuxnet, the most menacing malware in history (arstechnica.com)
- Stuxnet virus ‘could be adapted to attack the West’ (telegraph.co.uk)
California’s prior data breach law was the first in the nation and turned out to be a model that other states used for their own data breach laws. Whether the new law will have that same effect remains to be seen but, just in case, here is the 30,000 feet view of what it does:
A copy of the new statute, SB 24, essentially does the following:
- Applies to anyone in California that owns or licenses computer data containing non-public personal information (last name + first name or initial + SS#, DL#, ID#, acct, debit, access #s, medical info, or health ins info)
- Applies upon discovery or notification of a data breach of “unencrypted personal information”
- Requires notice (written/electronic/posting) in the most expedient time possible and without unreasonable delay
- Requires that data breach notifications specifically contain
- general description of the incident
- type of information breached
- time of the breach, and
- toll-free telephone numbers and addresses of the major credit reporting agencies in California
- whether notification was delayed because of law enforcement
- Requires data holders to send a copy of the notice to the Attorney General if the breach affects more than 500 people in California
- (and a few more pages of details I didn’t cover)
Most of this information was taken from a nice article was written by Tanya Forsheit of InfoLawGroup entitled California Amends Data Breach Law – For Real This Time. Go check it out, this could be a model for things to come!
Employees can get into quite a bit of mischief when they have access to the company’s data — especially disgruntled employees, as we saw in yesterday’s blog Computer Fraud and Abuse Act – great tool for taming an employee that’s gone off the deep end!. The mischief they can get into is increased exponentially with the ease and convenience of the cloud which also makes discovering it much harder.
It is important that companies maintain control over this potential problem. In addition to the traditional competitive reasons that that we are all familiar with, when an employee compromises the private data of others that the company maintains, it triggers all of the privacy and data breach concerns that we now hear so much about all over the news.
This is serious and can be devastating to a company. What is worse, as an attorney focused on helping companies address these kinds of concerns, I can tell you one thing for sure: if you do not know it’s happening, you can not do a thing about it!
Consider, for example, the subject of yesterday’s blog which was the case Wells Fargo Bank, NA v. Clark. In that case the employee had to resort to more traditional means of obtaining the data by storing it on his company laptop which he then refused to return for over a month. And, when he did, it was virtually destroyed though with skilled computer forensics they were able to retrieve enough of the data to reveal what he had been doing. But,
What if they had not regained possession of the laptop?
What if they had not been able to obtain from that laptop the data showing that he had posted its confidential information on the internet?
That is exactly the point of an insightful blog on Securosis (@securosis) written by Rich Mogull that is entitled Detecting and Preventing Data Migrations to the Cloud. Rich offers a nice explanation of the problem:
One of the most common modern problems facing organizations is managing data migrating to the cloud. The very self-service nature that makes cloud computing so appealing also makes unapproved data transfers and leakage possible. Any employee with a credit card can subscribe to a cloud service and launch instances, deliver or consume applications, and store data on the public Internet. Many organizations report that individuals or business units have moved (often sensitive) data to cloud services without approval from, or even notification to, IT or security.
Fortunately, Rich tells companies how they can help mitigate these risks in two steps:
1. Monitor for large internal data migrations with Database Activity Monitoring (DAM) and File Activity Monitoring (FAM).
2. Monitor for data moving to the cloud with URL filters and Data Loss Prevention.
He then goes on to explain exactly what each of the above mean and how companies can do it. I encourage you to read the full blog post.
This is good advice that companies need to implement. Remember, if you don’t know what your employees are doing with your data or if you don’t know who’s doing it, there isn’t a thing you can do legally to stop it. As Rich observed, this solution isn’t perfect, however, these suggestions are a great way to help protect your data and, should that data be compromised, be in a position to find out who was responsible.
In today’s companies the sphere of influence of CIOs is dramatically increasing vis-a-vis other C-Suite executives. This point was nicely made in a blog I read earlier this morning entitled CIO’s Seven Points of Key Influences that was written by Pearl Zhu. I believe that influence is even broader and also includes influence over legal issues as well.
Pearl’s post discusses the seven points of CIO’s influences: Strategy, Innovation, Technology, Culture, Talent, Sustainability, and Influencer. In fact, Pearl appropriately describes the CIO as being the Chief Influence Officer:
“Chief influence officer is the most persistent persona for CIO in 21st century, since the technology is ubiquitous in information age, however, the traditional big-box hardware style of IT infrastructure is disappearing, and more invisible digitized IT backbone based on Cloud computing is emerging, modern CIO is no longer just a chief infrastructure officer to manage back-office of functional IT, the strategic role is more based on the influence made across the organizational boundary, from innovation to sustainability, from talent management to cultural transformation.”
I agree! I would encourage you to read her blog as her arguments are convincing. But, I would also add an eighth:
Few would disagree that data breach has been one of the leading news stories of the year. This is not going to change any time soon as we continue to learn about more and more data breaches on a daily basis. When a company is hit with a data breach, it can cause catastrophic harm to the company’s bottom line in many ways because of the legal implications associated with the breach, whether it be an internal breach or the more notorious external hacking.
These events can be so substantial that they can threaten the very life of the company. Who other than the CIO is best equipped to understand the technical and practical side of these issues? Just consider the follow issues, which are becoming more and more common issues that companies need to address in the Information Age:
Securing the network from outside intrusion;
Determining appropriate insurance coverage to protect against data breach and privacy risk;
Developing appropriate policies for computer access and use;
Integrating technological restrictions on access to certain information;
Developing and implementing systems for monitoring or, at least, recording certain activities on the computer network; and
Securing and preserving reliable information for investigators concerning what information is compromised and, when possible, securing all available data to potentially track the intruder.
These are just a few of the issues that I thought of based upon recent “real world” events — I am sure you can think of many more. Come on, help me out here — tell me in the comments what other legal issues you can think of!
Oh, and there is one more — one that is particularly important: Last, but not least, the CIO can a great help in finding great outside legal counsel to assist with handling all of these issues!
Computer hacking, data breach, data privacy, and information security have dominated the news lately and created a sense of urgency in Congress to “do something” to fix the problems. Over the last few days I have searched the web for a source to keep me updated on all of the cyber-legislation that is currently pending in the 112th United States Congress. I have been unable to find such a source so I have resorted to a rather crude search of the Library of Congress’ “Thomas” website — this is my first “search” of Thomas for such purposes so I can’t guaranty the accuracy of my research. Since I am going through the trouble myself, however, I thought I would share it with you as well.
The following is an over-inclusive (by a long shot) list of the current legislative initiatives that I have found that appear to be privacy or cyber related. Initially, I went through and linked each bill to its Thomas summary but then, after going through that whole process, learned the hard way that Thomas times out after 30 minutes and the links were useless. As my teenage daughter would say, that was a FAIL! So, we’ll just have to use a work around — go HERE and type in the Bill Number and it will take you to the Thomas page where you can find the text and summary of the legislation as well as track its status and find other helpful information.
H.R.76 : Cybersecurity Education Enhancement Act of 2011
H.R.102 : Photo Identification Security Act
H.R.108 : Voting Opportunity and Technology Enhancement Rights Act of 2011
H.R.174 : Homeland Security Cyber and Physical Infrastructure Protection Act of 2011
H.R.220 : Identity Theft Prevention Act of 2011
H.R.352 : To permit members of the House of Representatives to donate used computer equipment to public elementary and secondary schools designated by the members.
H.R.423 : Member Address Privacy and Protection Act
H.R.427 : To amend the Internal Revenue Code of 1986 to provide a 5-year recovery period for computer-based gambling machines.
H.R.484 : Personal Privacy Clarification Act
H.R.592 : Sunshine in Litigation Act of 2011
H.R.611 : Building Effective Strategies to Promote Responsibility Accountability Choice Transparency Innovation Consumer Expectations and Safeguards Act / BEST PRACTICES ACT
H.R.653 : Financial Information Privacy Act of 2011
H.R.654 : Do Not Track Me Online Act
H.R.685 : Checkpoint Images Protection Act of 2011
H.R.877 : To express the sense of Congress that Federal job training programs that target older adults should work with nonprofit organizations that have a record of success in developing and implementing research-based technology curriculum designed specifically for older adults.
H.R.948 : Embedded Mental Health Providers for Reserves Act of 2011
H.R.1059 : To protect the safety of judges by extending the authority of the Judicial Conference to redact sensitive information contained in their financial disclosure reports, and for other purposes.
H.R.1136 : Executive Cyberspace Coordination Act of 2011
H.R.1187 : Fix HIT Act of 2011
H.R.1261 : Chief Technology Officer Act
H.R.1279 : Aircraft Passenger Whole-Body Imaging Limitations Act of 2011
H.R.1389 : Global Online Freedom Act of 2011
H.R.1509 : Medicare Identity Theft Prevention Act of 2011
H.R.1528 : Consumer Privacy Protection Act of 2011
H.R.1538 : Social Security Identity Defense Act of 2011
H.R.1707 : Data Accountability and Trust Act
H.R.1841 : Data Accountability and Trust Act (DATA) of 2011
H.R.1895 : Do Not Track Kids Act of 2011
H.R.2004 : Technology Security and Antiboycott Act
H.R.2089 : Technology Helps Revamp, Evaluate, and Expedite Designs Act of 2011
H.R.2096 : Cybersecurity Enhancement Act of 2011
H.R.2102: FCC Commissioners’ Technical Resource Enhancement Act
H.R.2125 : Electronic Paycard Protection Act of 2011
H.R.2168 : Geolocational Privacy and Surveillance Act
(Discussion Draft) ‘‘Secure and Fortify Electronic Data Act’’ or the ‘‘SAFE Data Act’’ (Introduced 6/10/11)
H.RES.98 : Expressing the Sense of the House of Representatives that the Commissioner of the Food and Drug Administration should give the greatest weight in making critical policy decisions to readily available hard science data, including evidence from the natural sciences, physical sciences, and computing sciences.
H.RES.175 : Expressing the sense of the House of Representatives that in order to continue aggressive growth in the Nation’s telecommunications and technology industries, the United States Government should “Get Out of the Way and Stay Out of the Way”.
S.1 : American Competitiveness Act
S.8 : Tough and Smart National Security Act
S.21 : Cyber Security and American Cyber Competitiveness Act of 2011
S.193 : USA PATRIOT Act Sunset Extension Act of 2011
S.224 : Stalkers Act of 2011
S.257 : Small Business Broadband and Emerging Information Technology Enhancement Act of 2011
S.290 : USA PATRIOT Act Sunset Extension Act of 2011
S.372 : Cybersecurity and Internet Safety Standards Act
S.413 : Cybersecurity and Internet Freedom Act of 2011
S.539 : Behavioral Health Information Technology Act of 2011
S.611 : FCC TECH Act
S.643 : Fix HIT Act of 2011
S.799 : Commercial Privacy Bill of Rights Act of 2011
S.801 : Information Technology Investment Management Act of 2011
S.813 : Cyber Security Public Awareness Act of 2011
S.848 : Consumer Information Enhancement Act of 2011
S.890 : Fighting Fraud to Protect Taxpayers Act of 2011
S.913 : Do-Not-Track Online Act of 2011
S.1011 : Electronic Communications Privacy Act Amendments Act of 2011
S.1050 : Fourth Amendment Restoration Act
S.1070 : Fourth Amendment Restoration Act
S.1073 : A bill to require the Attorney General to establish minimization and destruction procedures governing the acquisition, retention, and dissemination by the Federal Bureau of Investigation of certain records.
S.1075 : A bill to provide judicial review of National Security Letters.
S.1125 : USA PATRIOT Act Improvements Act of 2011
S.1151 : Personal Data Privacy and Security Act of 2011
S.1152 : Cybersecurity Enhancement Act of 2011
S.1159 : Cyberspace Warriors Act of 2011
S.1199 : Protecting the Privacy of Social Security Numbers Act
S.1207: Data Security and Breach Notification Act of 2011
S.1212 : Geolocational Privacy and Surveillance Act
S.1223 : Location Privacy Protection Act of 2011
S.RES.35 : A resolution expressing support for the designation of January 28, 2011 as National Data Privacy Day.
S.AMDT.141 to S.23 To clarify that section 14 shall not apply to an invention that is a computer program product or system used solely for preparing a tax or information return or other tax filing.
If you find that something is missing and should have been included, please let me know and I’ll make the addition. Better yet, if you know of a website that has this information and keeps it updated, let me know — I’ve never been much on reinventing the wheel!
- Personal Data Privacy and Security Act of 2011 (fraud20.com)
- Senator Says it is Time to Update Outdated Law (ghacks.net)
- Congress looks to curb mobile location tracking (macworld.com)
- Focus On Data Breaches Tops House Commerce Privacy Agenda (techdailydose.nationaljournal.com)
- Sen. Al Franken Introduces the Location Privacy Protection Act of 2011 (dandelionsalad.wordpress.com)
- Obama delivers new cyber-security plan (rt.com)
- Leahy Proposes Changes To Electronic Privacy Law (techdailydose.nationaljournal.com)
- Sony and Epsilon Agree to Testify Before Congress (bits.blogs.nytimes.com)
- Mobile Location Privacy a Hot Topic on Capitol Hill (technologizer.com)