There is more and more talk about companies hacking back against those who attack them in cyber space and whether allowing them to take such measures is a good idea. Right now, hacking back, or active defense, as it is often called, is illegal under the federal unauthorized access law, the Computer Fraud and Abuse Act. There are current federal efforts to change this, along with some woefully misguided rumblings by some state legislators (who do not seem to understand that the CFAA supersedes anything they pass to the contrary).
So, the question is whether hacking back a good idea or will it cause more harm than good? Shawn Tuma was a guest on the KLIF morning show to discuss this issue. Go here to listen to what he had to say about it.
The approach to data protection, and the enforcement of it, should and will be the same 36 days from now as it ever was: Following the rules is the way to go. But if you fail there, yeah, there are going to be some problems.
“The aim of our office is to prevent harm, and we place support and compliance at the heart of our regulatory action,” Denham said. “Voluntary compliance is still the preferred route, but we will back that up with tough action where it’s necessary. Hefty fines can and will be levied on those organizations that persistently, deliberately, negligently flout the law. Report to us, engage with us, show us your effective accountability measures, and if you do, that’s going to be a really important factor when we consider any regulatory action.”
Business Security Weekly, Episode 81, featured Michael Santarcangelo (@catalyst) inviting Shawn Tuma to join as co-host and guest to discuss two topics that should be near and dear to everyone’s hearts:
The legal case for why companies need cyber risk management programs and what experienced cybersecurity attorneys’ roles are in such programs; and
The frequently cited but often misunderstood role of attorney-client privilege in cybersecurity.
Business Security Weekly – now on Monday to kick start your week. @shawnetuma joining me today as co-host & guest (he’s that awesome)… https://t.co/pKKuqaRFXv
Shawn Tuma (@shawnetuma) is an attorney with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Attorney at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.
During a presentation yesterday, I was trying to make a point about the liability that comes with data and, therefore, the need for us to never forget that in cybersecurity our ultimate goal is protecting systems and data. I used the little line at the end of this quote:
Data equals risk. It is toxic because of the potential liability that goes with it. Data is the hot potato.
Despite how corny it sounds, I had several people approach me later to tell me how much “data is the hot potato” stuck with them (and, it could be because I had them join me in chanting it!). So, why not share it with you? Now join me in chanting,
Data is the hot potato!
Data is the hot potato!
Data is the hot potato!
Data is the hot potato!
______________________
Shawn Tuma (@shawnetuma) is an attorney with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Attorney at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.
In the world of cybersecurity and data protection, we tend to think about most cyber incidents as being “data breaches” because that’s the term de jour that occupies news headlines. Because of this, far too many companies think that if they do not have valuable data that hackers would want to “breach,” so to speak, they do not need to be concerned about cybersecurity. While this is wrong on one level because all data has value to hackers, it is even more wrong on a much greater level.
There is a lot more to cybersecurity and data protection than just breaches of the confidentiality of data (i.e., “data breaches“). Hackers have shown a strong trend over the last couple of years of attacking the computer system itself and, as some call it, “bricking” company’s computers and/or data and demanding an extortion payment in exchange for their promise to honor their word and undo the damage (if they even can). This is the process underlying what is often called ransomware.
Do you see where I’m going with this? If not, let me see if I can simplify this process for you a bit with the question below: (1) If you still think your company does not have data that is valuable to hackers, and (2) You still think that means that your company does not need to focus on cybersecurity,
Can your company continue to do business if it is not able to use its computer system?
Now, let me ask you, “how many days can your company go without doing whatever it is that it does before it really begins to hurt?”
Still need more convincing? Ok, I addressed this issue in more detail in Chapter 5 of The #CyberAvengers Playbook (free to download) — go give it a read.
The City of Atlanta is currently experiencing outages on various customer facing applications, including some that customers may use to pay bills or access court-related information. We will post any updates as we receive them. pic.twitter.com/kc51rojhBl
Shawn Tuma (@shawnetuma) is an attorney with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Attorney at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.
