Internet, Information Technology & e-Discovery Blog

Internet, Information Technology & e-Discovery Blog

Social changes brought about by the Internet & Technology

Here’s a good idea – don’t agree to cloud Click Agreements because the cloud is such a huge target for cybercriminals!

Posted in Cyber, E-Discovery, eCommerce

More businesses should use lawyers that understand how to negotiation cloud agreements because the Click Agreement don’t provide all necessary legal requirements given Cisco’s report that “The cloud is a whole new frontier for hackers, and they are exploring its potential as an attack vector in earnest…They also recognize that they can infiltrate connected systems faster by breaching cloud systems.”  The Cisco 2017 Midyear Cybersecurity Report advised companies who rely on the cloud (like every company on earth) that:

…they need to understand their role in ensuring cloud security.

Cloud service providers are responsible for the physical, legal, operational, and infrastructure security of the technology they sell.

Before agreeing to cloud Click Agreement you should check whether you lawyer understands how to negotiate cloud agreements!

No cyber insurance coverage for $800,000 loss for spearphishing (aka BEC -Business Email Compromise)!

Posted in Cyber, eCommerce reported that a court agreed with Traveler’s “which denied coverage on the basis the loss was not a “direct loss” that was “directly caused by the use of a computer” as required by the policy.” My friend Judy Greenwald wrote the article entitled “Manufacturer can’t recover spoofing email losses from insurer” about the ruling by the US District Judge, Eastern District of Michigan (Ann Arbor) in the case American Tooling Center Inc. v. Travelers Casualty and Surety Company of America which included these facts:

The vice president received emails purportedly from the vendor instructing ATC to send payment for several legitimate outstanding invoices to a new bank account, according to the ruling.

Without verifying the new banking instructions, ATC wire-transferred about $800,000 to a bank account that was not, in fact, controlled by the vendor.

The Judge granted Summary Judgment for Traveler’s since:

There was no infiltration or ‘hacking’ of ATC’s computer system,

The emails themselves did not directly cause the transfer of funds; rather, ATC authorized the transfer based upon the information received in the emails,”

No question that verification of the spoofed email would have avoided this result, but no monies would have been transferred.

GUEST BLOG: Is your business at risk for not knowing about the liability limits under the 911 Cybersecurity Laws (Safety Act)?

Posted in Cyber

My Guest Blogger Eddie Block (CISSP, CIPM, CIPP/G, CISA, CEH) is a senior attorney in Gardere’s Litigation Group and member of the Cybersecurity and Privacy Legal Services Team who focuses on all aspects of information cyber security, including credentialing functions, firewall and IDS deployment and monitoring, and penetration testing, and related complex litigation.  Eddie blogs at JurisHacker.

Interested in liability protections? Learn about the Safety Act.

The “Support Anti-terrorism by Fostering Effective Technologies Act of 2002 or Safety Act (no, I don’t know where the “Y” came from) seems to have flown under the radar for the past 15 years with few buyers or sellers of cybersecurity technologies taking advantage of the Act and its liability protections.

Passed in the wake of the terrorists attacks on September 11, 2001, the Act’s stated intent is to incentivize the development and deployment of Qualified Anti-Terrorism Technologies (QATT), including cybersecurity technologies, in a couple very specific ways.

First, the Act limits the Seller of a QATT’s financial liability to an amount determined by the Office of SAFETY Act within the Department of Homeland Security.  In exchange for carrying the required insurance, the seller’s liability is limited to the amount of that insurance (6 CFR Part §25.7(a)).  Additionally, no punitive, exemplary (§25.7(b)(1)), or noneconomic damages, “unless the plaintiff suffered physical harm” are available to the plaintiff (§25.7(b)(2)).

This is all great news for the Seller of a QATT, but what about their customers?  Section 25.7(d) extends these liability protections downstream:

“There shall exist only one cause of action for loss of property, personal injury, or death for performance or nonperformance of the Seller’s Qualified Anti-Terrorism Technology in relation to an Act of Terrorism. Such cause of action may be brought only against the Seller of the Qualified Anti-Terrorism Technology and may not be brought against the buyers, the buyers’ contractors, or downstream users of the Technology, the Seller’s suppliers or contractors, or any other person or entity. In addition, such cause of action must be brought in the appropriate district court of the United States.”

So putting it all together, any cause of action resulting from an Act of Terrorism regarding a QATT has exclusive federal jurisdiction, has a cap to awards, cannot include punitive, exemplary, or noneconomic (with exceptions) damages, and can only be brought against the Seller, not their subcontractors, suppliers or buyers.

What is an Act of Terrorism?  The determination of an Act of Terrorism is left to the Secretary of Defense (or their designee), but the requirements are that the Act:

  1. Is unlawful;
  2. causes harm; and
  3. uses methods designed or intended to cause mass destruction.

There is no requirement that the Act of Terrorism have a political basis.  Many attacks against public and private sector enterprises could fall under this umbrella.

Of course, this is a very high-level overview of a 10 page regulation, but with so many benefits for themselves and their customers, companies are tripping over themselves to get to the Office of Safety Act right?

Actually, according to the Approved Awards Search site only around a dozen companies have earned awards for cybersecurity related technologies.  In a world where over 300 vendors exhibited at the most recent BlackHat conference, it would seem that the ability to offer your customers any level of liability protection would make a great differentiator.

US Cyber insurance market exceeds $2.49 Billion!

Posted in Cyber, eCommerce, Internet Privacy

A report to the Cybersecurity (EX) Task Force explains the growth of cyber insurance to more than $2.49 billion in 2016 because “Cybersecurity breaches can cause a major drain on the U.S. economy”…and in particular “Financial Services Sector is perhaps the most under attack from cyber criminals.”  The August 6, 2017 “Report on the Cybersecurity Insurance Coverage Supplement” was provided by the National Association of Insurance Commissioners (NAIC) and the Center for Insurance Policy and Research which included these details:

  • Financial firms receive, maintain and store sensitive personal financial information from their customers.
  • Cyber criminals are interested in this sensitive information as it can be used for financial gain by stealing a person’s identity for fraudulent purposes.
  • We know from observation of the dark web that personal health information is much more valuable these days than personal financial information.
  • Nation states are also known to sponsor cyber-attacks for espionage or gaining access to corporate trade secrets and business processes.
  • A growing area of concern is ransomware used to extort payments from compromised firms.

No surprised in this report to the Cybersecurity (EX) Task Force!

Two-factor authentication may avoid disasters since there are more than 1+ billion compromised usernames and passwords!

Posted in Cyber reported that “Troy Hunt, a security expert who runs the Have I Been Pwned data breach notification service, has an idea to help organizations prevent people continuing to use their own compromised passwords or selecting ones that have been leaked.”  The August 3, 2017 report entitled “Here Are 306 Million Passwords You Should Never Use” recommend that “two-factor authentication can block the recycling of known credentials” but “its use is still far from widespread” and that:

…ultimately no good defense against a hacker who has valid user credentials.

The password problem does not appear to be getting better, so businesses need to migrate to two-factor authentication ASAP.

Blockchain vs. the SEC – ICO (Initial Coin Offering) are securities!

Posted in eCommerce

The Securities & Exchange Commission (SEC) ruled that “…that issuers of distributed ledger or blockchain technology-based securities must register offers and sales of such securities unless a valid exemption applies. Those participating in unregistered offerings also may be liable for violations of the securities laws. Additionally, securities exchanges providing for trading in these securities must register unless they are exempt.”  The July 25, 2017 news release entitled “SEC Issues Investigative Report Concluding DAO Tokens, a Digital Asset, Were Securities” explain that the SEC’s Report:

…stems from an inquiry that the agency’s Enforcement Division launched into whether The DAO and associated entities and individuals violated federal securities laws with unregistered offers and sales of DAO Tokens in exchange for “Ether,” a virtual currency.

The DAO has been described as a “crowdfunding contract” but it would not have met the requirements of the Regulation Crowdfunding exemption because, among other things, it was not a broker-dealer or a funding portal registered with the SEC and the Financial Industry Regulatory Authority

The SEC news release included these comments from William Hinman (SEC Director of the Division of Corporation Finance):

Investors need the essential facts behind any investment opportunity so they can make fully informed decisions, and today’s Report confirms that sponsors of offerings conducted through the use of distributed ledger or blockchain technology must comply with the securities laws,

Obviously the SEC will continue to review ICOs closely.

Guess what? There will be increased cyber problems in 2017 including Ransomware, Malware, and IoT!

Posted in Cyber, eCommerce

Malwarebytes examined almost “one billion malware detections/incidences…in nearly 100 million Windows and Android devices…in over 200 countries” to make its 2017 State of Malware Report which included these three takeaways:

  1. Ransomware grabbed headlines and became the favorite attack methodology used against businesses.
  2. Ad fraud malware, led by Kovter malware, exceeded ransomware detections at times and poses a substantial threat to consumers and businesses.
  3. Botnets infected and recruited Internet of Things (IoT) devices to launch massive DDoS attacks.

Little doubt that improved employee training can reduce much of these cyber problems.

Do you trust China to be the world leader in AI (Artificial Intelligence)?

Posted in eCommerce, IT Industry

The New York Times reported that China “laid out a development plan on Thursday to become the world leader in A.I. by 2030, aiming to surpass its rivals technologically and build a domestic industry worth almost $150 billion.”  The July 20, 2017 report entitled “Beijing Wants A.I. to Be Made in China by 2030” included these details on the plan:

…comes with China preparing a multibillion-dollar national investment initiative to support “moonshot” projects, start-ups and academic research in A.I.

Unfortunately the US:

…has cut back on science funding. In budget proposals, the Trump administration has suggested slashing resources for a number of agencies that have traditionally backed research in A.I.

What do you think?

FTC to the rescue with Cybersecurity roundtables for small businesses!

Posted in Cyber, eCommerce

The Federal Trade Commission (FTC) will have a series of public roundtables since companies “with only a few employees face unique challenges when it comes to cybersecurity. The July 20, 2017 announcement entitled “FTC to Host Cybersecurity Roundtables with Small Businesses” publicizes a new website launched in May Protecting Small Businesses focuses on “Cybersecurity”:

Running a company with a few employees? Check out these computer security basics for small businesses. And learn how to protect computers and networks against threats, develop a plan to protect customers’ personal information, and what to do if there is a data breach.

Here’s the current plan for these roundtables:

The first roundtable event will take place July 25 in Portland, Oregon, in partnership with the National Cyber Security Alliance (NCSA), the SBA, and other organizations. This event will be followed by a roundtable discussion in Cleveland, Ohio, on September 6, hosted by the FTC and the Council of Smaller Enterprises and in collaboration with the SBA. Another roundtable event will take place later in September in Des Moines, Iowa, sponsored by the NCSA.

The roundtables will certain help small businesses, so stay tuned for the advice we get from these roundtables.

Will IBM’s recommendation to encrypt the universe provide better cyber protection, or just profits for IBM?

Posted in Cyber, eCommerce, IT Industry

The Washington Post reported that “IBM argues that universal encryption could be the answer to what has become an epidemic of hacking.”  The July 17, 2017 article entitled “To battle hackers, IBM wants to encrypt the world” included these comment about IBM’s recommendations to encrypt the universe:

…it has achieved a breakthrough in security technology that will allow every business, from banks to retailers to travel-booking companies, to encrypt their customer data on a massive scale — turning most, if not all, of their digital information into gibberish that is illegible to thieves with its new mainframe

But the Washington Post also pointed out that IBM’s should be able to generate greater revenue:

For IBM, encryption is also a massive business opportunity. Businesses spend over $1 trillion a year making sure that their security meets government standards,…

IBM’s encryption recommendation will be interesting to follow.