GDPR, snooping tech, and data privacy — what does this all mean? Shawn Tuma explains

The EU’s GDPR, devices and services snooping on our privacy, and data privacy law – what does this all mean?

Shawn Tuma explains to CW33’s Morning Dose why the EU’s General Data Protection Regulation (GDPR) can be a positive step in the long run for simplifying data security and data privacy when compared to the multitude of different federal, state, and local laws in the United States.

Shawn Tuma discusses on The Michelle Mendoza Show on Seattle’s 820 AM, The Word

 

The EU’s GDPR, attorney Shawn Tuma discusses on the Steve Gruber Show

 

See also: INTEGRATING AMAZON’S “REKOGNITION” TOOL WITH POLICE BODY CAMERAS — SHAWN TUMA DISCUSSES ON CW33 MORNING DOSE

______________________

Shawn Tuma (@shawnetuma) is an attorney with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Attorney at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

Integrating Amazon’s “Rekognition” Tool with Police Body Cameras — Shawn Tuma Discusses on CW33 Morning Dose

There has been an outcry over law enforcement using Amazon’s “Rekognition” facial recognition tool and integrating it with their body cameras for nearly real-time identification capabilities. CW33’s Morning Dose had cybersecurity and data privacy attorney Shawn Tuma on as a guest to discuss this issue, as seen on this video:

 

Here is another story with additional commentary by Tuma (2:01 mark):

 

See also:  The EU’s GDPR, devices and services snooping on our privacy, and data privacy law – what does this all mean? Shawn Tuma discusses on The Michelle Mendoza Show on Seattle’s 820 AM, The Word

 

______________________

Shawn Tuma (@shawnetuma) is an attorney with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Attorney at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

Facebook Suspends 200 Apps for Data Privacy Concerns — What Does This Really Mean?

Facebook suspended 200 apps due to data privacy concerns, which it revealed earlier this week. Shawn Tuma explains some of the key points about this in the following television and radio interviews:

CW33 Morning Dose talks to cybersecurity lawyer, Shawn Tuma, about Facebook suspending 200 apps

Facebook suspends 200 apps following Cambridge Analytica revelations, what does this mean? Shawn Tuma discusses on 710 KURV in McAllen, Texas

See also: Cell phone carriers are sharing your real-time location with private companies, what does this mean? Shawn Tuma discusses on The Steve Gruber Show

 

Happy Data Privacy Day!

WHAT ARE YOU DOING TO OBSERVE IT?

Data Privacy DayToday is Data Privacy Day! If you have been wondering “what is Data Privacy Day?” then this is your lucky day because not only is today Data Privacy Day, but here is the answer and an explanation for why it really matters to you and your company’s future success.

What is Data Privacy Day?

Data Privacy Day is observed every year on January 28 and is led by the National Cyber Security Alliance (NCSA), a nonprofit, public-private partnership dedicated cybersecurity education and awareness. According to the NCSA,

DATA PRIVACY DAY IS AN INTERNATIONAL EFFORT TO EMPOWER AND EDUCATE PEOPLE TO PROTECT THEIR PRIVACY AND CONTROL THEIR DIGITAL FOOTPRINT.

DATA PRIVACY DAY BEGAN IN THE UNITED STATES AND CANADA IN JANUARY 2008 AS AN EXTENSION OF THE DATA PROTECTION DAY CELEBRATION IN EUROPE. DATA PROTECTION DAY COMMEMORATES THE JANUARY 28, 1981, SIGNING OF CONVENTION 108, THE FIRST LEGALLY BINDING INTERNATIONAL TREATY DEALING WITH PRIVACY AND DATA PROTECTION. DATA PRIVACY DAY IS NOW A CELEBRATION FOR EVERYONE, OBSERVED ANNUALLY ON JANUARY 28.

DATA FLOWS FREELY IN TODAY’S ONLINE WORLD. EVERYONE – FROM HOME COMPUTER USERS TO MULTINATIONAL CORPORATIONS – NEEDS TO BE AWARE OF THE PERSONAL DATA OTHERS HAVE ENTRUSTED TO THEM AND REMAIN VIGILANT AND PROACTIVE ABOUT PROTECTING IT. BEING A GOOD ONLINE CITIZEN MEANS PRACTICING CONSCIENTIOUS DATA STEWARDSHIP. DATA PRIVACY DAY IS AN EFFORT TO EMPOWER AND EDUCATE PEOPLE TO PROTECT THEIR PRIVACY, CONTROL THEIR DIGITAL FOOTPRINT, AND MAKE THE PROTECTION OF PRIVACY AND DATA A GREAT PRIORITY IN THEIR LIVES.

14 Tips For Keeping Your Company’s Data Secure

In honor of Data Privacy Day, the International Association of Privacy Professionals (iapp) has posted an article with 14 tips you need to consider when evaluating how to keep your company’s data secure:

  1. Know Thy Data. Determine what data you collect and share. Classify it according to its level of criticality and sensitivity. What could be considered PII? Define whether data is “in use,” “in motion” or “at rest.” Know where the data is physically stored.
  2. Terms and Conditions May Apply. Make sure your privacy policy reflects current data practices (see Tip #1). This includes the use of third-party advertisers, analytics, and service providers. Periodically review and confirm these third parties comply with your written policies.
  3. You Don’t Know What You’ve Got Till It’s Gone. Conduct annual audits to review whether your data should be retained, aggregated or discarded. Data that’s no longer used needs to be securely decommissioned. Create a data retention policy dictating how long you keep information once it’s fulfilled its original purpose. And, of course, continually ask whether that purpose is still valid and relevant.
  4. Practice or You’ll Breach. Forged e-mail, malvertising, phishing, social engineering exploits and data snooping via unencrypted transmissions are on the rise. From simple controls to sophisticated gears, make sure you’ve implemented leading security “best practices.”
  5. AYO Technology! Data Loss Prevention (DLP) technologies identify vulnerabilities of potential exposures. These work in conjunction with existing security and antivirus tools. From early warnings of irregular data flows to unauthorized employee access, DLP solutions help minimize and remediate threats.
  6. BYOD Is Like a BYOB House Party. The lack of a coherent bring-your-own-device (BYOD) program can put an organization at risk. User devices can easily pass malware and viruses onto company platforms. Develop a formal mobile device management program that includes an inventory of all personal devices used in the workplace, an installation of remote wiping tools and procedures for employee loss notification.
  7. Insist on a List. To mitigate the grave impact on your organization, inventory key systems, access credentials and contacts. This includes bank accounts, registrars, cloud service providers, server hosting providers and payroll providers. Keep this list in a secure yet accessible location.
  8. Forensics – Don’t Do This at Home. The forensics investigation is essential in determining the source and magnitude of a breach. This is best left to the experts as it’s easy to accidentally modify or disrupt the chain of custody.
  9. Where the Logs At? Logs are fundamental components in forensics analysis, helping investigators understand what data was compromised. Types of logs include transaction, server access, firewall and client operating system. Examine all logs in advance to ensure correct configuration and time-zone synchronization. Routinely back them up; keep copies, and make sure they’re protected.
  10. Incident Response Team to the Rescue! Breaches are interdisciplinary events requiring coordinated strategies and responses. The team should represent every functional group within the organization, with an appointed executive who has defined responsibilities and authority. Establish “first responders” available 24/7 (hackers don’t work a 9 to 5 schedule).
  11. Get Friendly With the “Fuzz.” Reach out to law enforcement and regulators prior to an incident. Know who to contact so you won’t have to introduce yourself in the “heat of the battle.” When you have bad news to report, make sure they hear directly from you (a courtesy call goes a long way). Don’t inflame the situation by becoming defensive; focus on what you’re doing to help affected parties.
  12. Rules, Rules, Rules. Become intimately familiar with the international, domestic and local regulations that specifically relate to your organization. The failure to notify the appropriate governmental body can result in further inquiries and fines.
  13. What Did You Say? A well-executed communications plan not only minimizes harm and potential legal consequences, it also mitigates harm to a company’s reputation. Address critical audiences and review applicable laws before notifying. Tailor your message by geographic region and demographics. Knowing what to say is just as important as knowing what NOT to say.
  14. Help Me Help You. Customers want organizations to take responsibility and protect them from the potential consequences of a breach. The DIP should include easy-to-access remedies that offset the harm to affected parties.

Here is a link to the full post: How to Lose Your Data in 10 Days

The 14 tips are a great place to start when thinking about securing your company’s data. As shown by the recent data breaches that have hit Target, Neiman Marcus, Michaels, and Barnes & Noble, the question is no longer one of if your company will have a data breach, but when.

When Your Company is Breached, Your Preparation Will Be Vital to the Company Surviving the Crisis

A data breach is a crisis situation for any company–especially given the amount of attention data breaches are getting these days. From a very big picture perspective, there are two goals to strive for when a company responds to a data breach: (1) avoid, or at least mitigate, any legal and regulatory trouble; and, (2) more importantly, minimize the impact of the breach on the company’s overall business. (see related data breach discussions) The only way your company can achieve these goals is to be proactive by getting prepared before the inevitable occurs–the breach.

If your company is prepared, it is in a much better position to minimize the loss of data, be better able to respond to the breach, and demonstrate to the legal and regulatory authorities that it acted reasonably in protecting its data, which can be very helpful in minimizing the legal and regulatory repercussions, which is the first step. By being prepared and better able to address the first step, the company is then able to focus more of its efforts on polishing its response to be more palatable for its customers and better addressing their feelings and concerns. In other words, if the company is prepared, it is not panicking and scrambling just to get out a response–any response–but instead can take the time to analyze the situation through its customers’ eyes and provide a much better response that takes their feelings and concerns into consideration. This is the vital step because this is what helps preserve the company’s customer relationships.

The best way to be prepared for this is for your company to have a thorough and custom data breach incident response plan. The data breach incident response plan should be tailored to fit your company in many ways, including the following ways just to name a few:

  • the nature of your company’s culture, both internally and externally
  • the nature of your company’s customers
  • the nature of your company’s products or services
  • the nature of your company’s operations and management structure
  • the type, volume, and sensitivity of the data your company collects and retains
  • the security measures your company has in place
  • the resources your company has to devote to data security issues
  • the security standards of your company’s particular industry

Could you figure these things out on your own, with enough time and effort? Probably so — but would that really be efficient? More importantly, and I can not over-emphasize this point enough: You need an attorney to assist you with many of these things because, when done under the guidance of an attorney and if the proper formalities are observed, much of the process can be protected by the attorney-client privilege, but not if you don’t have an attorney assisting with the process.

______________________

Shawn Tuma (@shawnetuma) is a business lawyer with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

Allscripts EHR Ransomware Attack is Huge–How Will it Impact Healthcare Practices?

OCR LogoSee recommendations below

On January 19, 2018, cybercriminals were successful in a ransomware attack on Allscripts, an electronic healthcare record (EHR) provider for healthcare providers across the United States. The attack encrypted some of Allscripts systems and prevented those healthcare providers who use those systems for their EHRs from being able to access their patient records. Not only is there the obvious impact this has had on those healthcare providers’ ability to treat their patients, but also, under HIPAA, the Office of Civil Rights presumes that all cyber-related security incidents where protected health information was accessed, acquired, used, or disclosed are reportable breaches unless certain criteria are satisfied. (See checklist in this post and this post for further explanation).

TMLT LogoThe Texas Medical Liability Trust (TMLT)’s blog post, Allscripts EHRS Falls Victim to Ransomware Attacks, goes into much greater detail in describing the facts of this event and what has taken place since the initial attack. The blog also provides an excellent analysis of the Business Associates considerations in a situation such as this and the post features several important recommendations for what practices need to do now from my friend and excellent cybersecurity and data privacy attorney Adrian Senyszyn (LinkedIn) and myself. So, what are you waiting for, go read the TMLT post … and hope and pray that you planned ahead and have cyber insurance!

See Also:

______________________

Shawn Tuma (@shawnetuma) is an attorney with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Attorney at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

National data breach notification law proposed by Senate Commerce Committee members (includes jail?)

Three Democratic senators introduced legislation Thursday requiring companies to notify customers of data breaches within 30 days of their discovery and imposing a five year prison sentence on organizations caught concealing data breaches.

https://www.cyberscoop.com/national-data-breach-notification-law-bill-nelson-uber-equifax-hack/

Musings about the Equifax Data Breach

Musings and stuff about the

This is intended to be an old-fashioned “blog” about thoughts on the Equifax data breach. It will be ongoing so please check back regularly.

Topics

 


Media interviews and commentary


We are seeing shame hacking taken to a new level

(9/15/17) I have written a good bit about shame hacking and how hackers’ efforts to monetize their activities have evolved to their using shame, or embarrassment, as a tool to extort payments from their targets. This case seems to be taking it to a new level. For the last two days we have all seen the news about how Equifax’s failure to patch was the cause of the breach. Today, it got worse.

Now, apparently, the hackers are trying to play the role of “good guys” by telling the secrets of how they hacked Equifax, how easy it was, and just how negligent Equifax was in defending its network. Check out this story (which seems to be legit):  How Equifax got Hacked

Stop and think about this for a moment:

  • The hackers — the criminals who attacked Equifax and stole data from at least hundreds of thousands of people to potentially hundreds of millions of people — are now coming out and shaming Equifax for allowing them to do what they did.
  • Now I understand, with these revelations about its security practices, it is hard to feel sorry for Equifax and view it as the victim, and I’m not suggesting that we should. But let’s also not forget that Equifax was the company that was attacked — and now the attackers are the ones telling all to shame the company they attacked. We must keep this in perspective.
  • The problem is, we will not keep it in perspective and we as part of the masses will all start to dog pile Equifax even more for the juicy scoop that the hackers are revealing about the company they attacked and the hackers are stoking the flames: “if I have to release the information and make it public for these companies to finally acknowledge and admit their fuck ups (maybe not blame on apache flaw either) then I will” the hackers
  • I am all for learning any lessons that we can from this attack, even if from the hackers themselves, and I am all for really letting Equifax have it for what they did, but the one thing I am not for is making these hackers out to be heroes in the end. As ridiculous as this may seem, now on 9/15/17, it would not be unprecedented … please, please, please, do not make these guys out to be heroes because they are not. They are criminals.

This is taking shame hacking to a new level. This kind of taunting would get a college or NFL football player ejected from a game — and we the people will enjoy every bit of it!

Stay tuned, this is getting interesting …


Will I lead a consumer class action lawsuit against Equifax?

I have received more inquiries from people via calls, emails, and social media posts who are interested in pursuing a class action lawsuit against Equifax than I have following every other breach combined, by at least double or triple the numbers! However, while it is clear that people want their pound of flesh, it will not be me leading the charge.


Lawsuits and investigations against Equifax

Well-respected data breach class action attorney John Yanchunis has already filed one class action lawsuit and it would not surprise me to see another well-respected data breach class action firm Edelson PC bring one as well. You can also learn more about class action lawsuits that are filed at the Top Class Actions website.

My thoughts on the “chatbot” suing Equifax are in included in this article: Equifax’s Latest Legal Nightmare Might Be This Chatbot

The FTC has launched an investigation into the Equifax data breach.

Massachusettes’s attorney general said it will sue Equifax over the data breach.


What to do if you’re impacted by the Equifax data breach?

I doubt I could do a better job of giving you advice on this than the Federal Trade Commission can so check out their Consumer Information page that explains what to do and how to do it: The Equifax Data Breach: What to Do

One of the issues that has caused some confusion is the difference between a fraud alert and a credit freeze, which the FTC has also addressed: Fraud alerts vs. credit freezes: FTC FAQs

Here is the Equifax official page if you need it: www.equifaxsecurity2017.com

Given that data breaches are the new normal, I see no reason why we shouldn’t all have some form of credit monitoring as one more level of protecting ourselves. While Equifax is offering a year of free credit monitoring using its service, if you’re reluctant to sign up for Equifax’s free credit monitoring, you should sign up for somebody’s even if it means paying for it. My friend Todd Hindman works for ID Experts and they have a top-notch product: https://www2.idexpertscorp.com/

Here are some general talking points I used for a couple of media interviews on this (much of this came directly from the FTC website):

IDENTITY THEFT – HOW DO INDIVIDUALS PROTECT THEMSELVES

If you sign up for Equifax’s free credit monitoring, do you lose your right to sue?

No, you do not.

Equifax issued an official statement saying that you do not give up your right to sue if you sign up for its free credit monitoring:  Cybersecurity Incident & Important Consumer Information – Equifax:

[This week’s update]
Questions continue to be raised about the arbitration clause and class action waiver language that was originally in the terms of use for the free credit file monitoring and identity theft protection products that we are offering called TrustedID Premier. We have removed that language from the TrustedID Premier Terms of Use and it will not apply to the free products offered in response to the cybersecurity incident or for claims related to the cybersecurity incident itself. The arbitration language will not apply to any consumer who signed up before the language was removed.

[Last week’s update]

We’ve added an FAQ to our website to confirm that enrolling in the free credit file monitoring and identity theft protection that we are offering as part of this cybersecurity incident does not waive any rights to take legal action. We removed that language from the Terms of Use on the website, www.equifaxsecurity2017.com. The Terms of Use on www.equifax.com do not apply to the TrustedID Premier product being offered to consumers as a result of the cybersecurity incident.


What caused the Equifax data breach?

The Apache Foundation which oversees the use of open source software issued a statement alleging the breach was caused by Equifax’s failure to install a patch, or security update, that had been available for a couple of months: “The Equifax data compromise was due to (Equifax’s) failure to install the security updates provided in a timely manner”

Now it appears that Equifax was also using the uber challenging authentication credentials of “admin/admin” to protect data in Argentina


What’s more important than the 3 things below? Prevention — as stated here!


3 Things Worth Learning from the Equifax Breach

The SecureWorld News Team talked with me about many of the lessons that can be learned from the Equifax data breach and winnowed it down to the following 3 takeaways that are discussed more thoroughly in the article:

  1. We need a uniform national breach notification law in the United States.
  2. When it comes to data breach response, “[i]t’s not about what you do right, as much as what you do not do wrong.”
  3. A mega breach keeps going, and going, and going.

Please take a look at the full article, 3 Things Worth Learning from the Equifax Breach, and let the SecureWorld News Team know what you think on TwitterFacebookLinkedIn, and Google+


Will Equifax be the “tipping point” for companies to take action on cybersecurity, much the way Target was the “tipping point” for awareness?

My friend Roberta Anderson and I had a conversation on Facebook in which she shared an article she wrote back in April 2014 (Business Forum: Target security breach could be a wake-up call) about the Target data breach being the tipping point for raising awareness about the need for cybersecurity and the risks of data breach. Her question to me was whether I thought Equifax would be another such tipping point. Here is the link to the Facebook post if you want to join the conversation.

Here is my response, also in the post above:

Roberta, that is an excellent article and some excellent questions you raise about Equifax. I recall back in 2011 hearing that year was the “Year of the Data Breach” because we thought, at the time, that with news of *some* data breaches making their way into the traditional news headlines it would be enough to jolt business leaders to start taking action. It wasn’t. As you predicted back in April 2014, it was going to be Target that really turned out to be the “tipping point” and I firmly believe that it was quite a watershed moment in the world of cybersecurity and data breach insofar as raising awareness is concerned. Unfortunately, it wasn’t enough. It wasn’t enough to move from mainstream awareness to mainstream action.

Now to the question of Equifax — will it be the “tipping point” that moves the needle from awareness to action? It very well could be for several reasons. First and foremost, people are pissed — really pissed — about a company that has made it’s business off of judging them and their “worthiness” now not only showing its unworthiness but also doing so at the expense of the people it has been judging — without their consent! In the world of perception and persuasion, that’s a horrible fact. I have seen this first hand — I have received two to three times more telephone calls, emails, texts, and social media messages asking me to bring a class action lawsuit against Equifax in less than a week than I have in the wake of every other data breach combined — COMBINED! People want their pound of flesh! Add to that the actions of the executives in selling their stock, post-breach (whether they knew or not), the perceived delay in notifying, and the extreme sensitivity of the data involved and you have the makings of a nuclear bomb of breach consequences which are already forming with the lawsuits, extended publicity, and congressional inquiries. But, will that be enough to move the needle to action? I don’t know … will their stock rebound? Will the congressional inquiry go the way of Yahoo’s CEO (who also received letters of inquiry from Congress)? Will the insurance cover much of the sting? Will the execs lose their jobs — without golden parachutes that provide them with better landings than most of us will ever have in our lives? Or, will somebody go to jail and, if so, under what theory?

Effective cybersecurity is hard and requires a commitment to a perpetual journey that has no final destination. That’s not a journey that most companies will truly commit to unless they are forced to do so — even if they *should*. Unless someone really pays the price for this Equifax incident, in a grand and public manner for all of the world to see (no, I’m not suggesting a public hangings — but something that will leave the imagery in the public’s mind the way those once did — like the Ford Pinto case), I just don’t know.


Will Equifax get hit for this data breach like Ford did for its “bean counting” in the Pinto case?

I wrote this post back in 2011 and we’re still waiting for the “message” to sent — will this be it? Data Breach — Who’s Gonna Get It?


Random Info

______________________

Shawn Tuma (@shawnetuma) is an attorney with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Attorney at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

Incident Response – 3 Takeaways from the Equifax Breach

The SecureWorld News Team talked with Shawn Tuma about many of the lessons that can be learned from the Equifax data breach and winnowed it down to the following 3 takeaways that are discussed more thoroughly in the article:

  1. We need a uniform national breach notification law in the United States.
  2. When it comes to data breach response, “[i]t’s not about what you do right, as much as what you do not do wrong.”
  3. A mega breach keeps going, and going, and going.

Please take a look at the full article, 3 Things Worth Learning from the Equifax Breach, and let the SecureWorld News Team know what you think on Twitter, Facebook, LinkedIn, and Google+

______________________

Shawn Tuma (@shawnetuma) is an attorney with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Attorney at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

Key Points of Delaware’s New Data Breach Notification Law

Delaware recently amended its data breach notification law to include the following requirements:

  • Expanded definition of “personal information” to include biometric data, medical information, passport numbers, routing numbers for accounts, individual taxpayer identification numbers and usernames in addition to the traditional forms of PII such as birth date and social security numbers.
  • Notice to affected individuals within 60 days.
  • Notice to the Delaware Attorney General if the breach affects more than 500 residents of Delaware.
  • Provide one year of free identity theft protection services in breaches where Social Security numbers were compromised (joining CA and CT).

Companies are not required to notify individuals if, after an appropriate investigation (i.e., performing a risk assessment), the company reasonable determines there is no risk of harm to the individuals.

On the cybersecurity side of things, the new law requires companies to “implement and maintain reasonable security” to protect the information a company collects and holds for Delaware residents.

The effective date of the new law is April 14, 2018.

OCR Issues Cyberattack Response Checklist and Infographic

The United States Department of Health and Human Services’ Office for Civil Rights has just issued a checklist and infographic to aid healthcare organizations and their vendors in quickly responding to cyberattacks in compliance with HIPAA requirements.