In the “the CFAA prevents companies from defending themselves” corner we have New Bill Would Allow Hacking Victims to ‘Hack Back’, in The Hill, discussing The Active Cyber Defense Certainty Act (ACDC). ACDC (what a great acronym!) would allow companies more latitude in defending themselves against those intruding into their networks by permitting them to use techniques described as “active defense,” under certain conditions, though not permitting companies to counterattack.
Now, instead of thinking about these two measures in isolation, think of them together. What if we were to get both of them passed into law? What if we got one or the other?
The CFAA has become a national lightening rod with many loving it, many hating it, and far too many loving it and hating it at the same time, without even realizing it. Before we go any further, however, consider this quote:
The CFAA was tailor-made to punish precisely the kind of behavior that [guess who?] is charged with: breaking into other people’s accounts and disseminating their … information.
Quick! Who is that referring to? Hunter Moore? Edward Snowden? Aaron Swartz? Sandra Teague?
I used this overly simplified example to try and make a point that, philosophically, we as a nation need to stop looking at each of these cases and laws in isolation and need to look at the bigger picture of how it all fits together. Picking and choosing based upon our own personal likes and dislikes due to the emotional tug of the facts is no way to develop, maintain, and mature a body of law on any subject matter — much less one as complicated as cyber.
Take this discussion and add into the mix new security-based laws such as NYDFS and then mix in the 48 states + HIPAA, GLBA, etc. breach notification laws, the conundrum of cybersecurity law schizophrenia, and then see what we have to work with. Does it all make sense?
What do you think? Where do we begin? Who needs to be involved in working this out? What are the first questions we need to ask?
The US House of Representatives has passed legislation similar to that recently passed by the Senate that would require the National Institute of Standards and Technology (NIST) to produce cybersecurity guidance that will be aimed at helping small businesses. The NIST Small Business Cybersecurity Act of 2017 would include NIST’s creating guidelines, tools, and best practices to help smaller businesses reduce their cybersecurity risk.
(9/15/17) I have written a good bit about shame hacking and how hackers’ efforts to monetize their activities have evolved to their using shame, or embarrassment, as a tool to extort payments from their targets. This case seems to be taking it to a new level. For the last two days we have all seen the news about how Equifax’s failure to patch was the cause of the breach. Today, it got worse.
Now, apparently, the hackers are trying to play the role of “good guys” by telling the secrets of how they hacked Equifax, how easy it was, and just how negligent Equifax was in defending its network. Check out this story (which seems to be legit): How Equifax got Hacked
Stop and think about this for a moment:
The hackers — the criminals who attacked Equifax and stole data from at least hundreds of thousands of people to potentially hundreds of millions of people — are now coming out and shaming Equifax for allowing them to do what they did.
Now I understand, with these revelations about its security practices, it is hard to feel sorry for Equifax and view it as the victim, and I’m not suggesting that we should. But let’s also not forget that Equifax was the company that was attacked — and now the attackers are the ones telling all to shame the company they attacked. We must keep this in perspective.
The problem is, we will not keep it in perspective and we as part of the masses will all start to dog pile Equifax even more for the juicy scoop that the hackers are revealing about the company they attacked and the hackers are stoking the flames: “if I have to release the information and make it public for these companies to finally acknowledge and admit their fuck ups (maybe not blame on apache flaw either) then I will” — the hackers
I am all for learning any lessons that we can from this attack, even if from the hackers themselves, and I am all for really letting Equifax have it for what they did, but the one thing I am not for is making these hackers out to be heroes in the end. As ridiculous as this may seem, now on 9/15/17, it would not be unprecedented … please, please, please, do not make these guys out to be heroes because they are not. They are criminals.
This is taking shame hacking to a new level. This kind of taunting would get a college or NFL football player ejected from a game — and we the people will enjoy every bit of it!
Stay tuned, this is getting interesting …
Will I lead a consumer class action lawsuit against Equifax?
I have received more inquiries from people via calls, emails, and social media posts who are interested in pursuing a class action lawsuit against Equifax than I have following every other breach combined, by at least double or triple the numbers! However, while it is clear that people want their pound of flesh, it will not be me leading the charge.
What to do if you’re impacted by the Equifax data breach?
I doubt I could do a better job of giving you advice on this than the Federal Trade Commission can so check out their Consumer Information page that explains what to do and how to do it: The Equifax Data Breach: What to Do
Given that data breaches are the new normal, I see no reason why we shouldn’t all have some form of credit monitoring as one more level of protecting ourselves. While Equifax is offering a year of free credit monitoring using its service, if you’re reluctant to sign up for Equifax’s free credit monitoring, you should sign up for somebody’s even if it means paying for it. My friend Todd Hindman works for ID Experts and they have a top-notch product: https://www2.idexpertscorp.com/
Here are some general talking points I used for a couple of media interviews on this (much of this came directly from the FTC website):
IDENTITY THEFT – HOW DO INDIVIDUALS PROTECT THEMSELVES
[This week’s update]
[Last week’s update]
The SecureWorld News Team talked with me about many of the lessons that can be learned from the Equifax data breach and winnowed it down to the following 3 takeaways that are discussed more thoroughly in the article:
We need a uniform national breach notification law in the United States.
When it comes to data breach response, “[i]t’s not about what you do right, as much as what you do not do wrong.”
Will Equifax be the “tipping point” for companies to take action on cybersecurity, much the way Target was the “tipping point” for awareness?
My friend Roberta Anderson and I had a conversation on Facebook in which she shared an article she wrote back in April 2014 (Business Forum: Target security breach could be a wake-up call) about the Target data breach being the tipping point for raising awareness about the need for cybersecurity and the risks of data breach. Her question to me was whether I thought Equifax would be another such tipping point. Here is the link to the Facebook post if you want to join the conversation.
Here is my response, also in the post above:
Roberta, that is an excellent article and some excellent questions you raise about Equifax. I recall back in 2011 hearing that year was the “Year of the Data Breach” because we thought, at the time, that with news of *some* data breaches making their way into the traditional news headlines it would be enough to jolt business leaders to start taking action. It wasn’t. As you predicted back in April 2014, it was going to be Target that really turned out to be the “tipping point” and I firmly believe that it was quite a watershed moment in the world of cybersecurity and data breach insofar as raising awareness is concerned. Unfortunately, it wasn’t enough. It wasn’t enough to move from mainstream awareness to mainstream action.
Now to the question of Equifax — will it be the “tipping point” that moves the needle from awareness to action? It very well could be for several reasons. First and foremost, people are pissed — really pissed — about a company that has made it’s business off of judging them and their “worthiness” now not only showing its unworthiness but also doing so at the expense of the people it has been judging — without their consent! In the world of perception and persuasion, that’s a horrible fact. I have seen this first hand — I have received two to three times more telephone calls, emails, texts, and social media messages asking me to bring a class action lawsuit against Equifax in less than a week than I have in the wake of every other data breach combined — COMBINED! People want their pound of flesh! Add to that the actions of the executives in selling their stock, post-breach (whether they knew or not), the perceived delay in notifying, and the extreme sensitivity of the data involved and you have the makings of a nuclear bomb of breach consequences which are already forming with the lawsuits, extended publicity, and congressional inquiries. But, will that be enough to move the needle to action? I don’t know … will their stock rebound? Will the congressional inquiry go the way of Yahoo’s CEO (who also received letters of inquiry from Congress)? Will the insurance cover much of the sting? Will the execs lose their jobs — without golden parachutes that provide them with better landings than most of us will ever have in our lives? Or, will somebody go to jail and, if so, under what theory?
Effective cybersecurity is hard and requires a commitment to a perpetual journey that has no final destination. That’s not a journey that most companies will truly commit to unless they are forced to do so — even if they *should*. Unless someone really pays the price for this Equifax incident, in a grand and public manner for all of the world to see (no, I’m not suggesting a public hangings — but something that will leave the imagery in the public’s mind the way those once did — like the Ford Pinto case), I just don’t know.
Will Equifax get hit for this data breach like Ford did for its “bean counting” in the Pinto case?
Shawn Tuma (@shawnetuma) is an attorney with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Attorney at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.
Shawn Tuma delivered the presentation Cybersecurity Legal Issues: What you really need to know at a Cybersecurity Summit sponsored by the Tarleton State University School of Criminology, Criminal Justice, and Strategic Studies’ Institute for Homeland Security, Cybercrime and International Criminal Justice. The presentation was on September 13, 2016 at the George Bush Institue. The following are the slides from Tuma’s presentation — a video of the presentation will be posted soon!