Internet, Information Technology & e-Discovery Blog

Internet, Information Technology & e-Discovery Blog

Social changes brought about by the Internet & Technology

New Cyber rules for DOD contractors may be creating new problems!

Posted in Cyber

Law360 reported that many experts are concerned that “companies who share cybersecurity incident information with a DOD contractor will be considered a third-party beneficiary of the DOD, with the ability to sue if confidential information is leaked or stolen, but that offers little solace to those who have their information stolen.” The October 20, 2016 report entitled “DOD Cyber Rule May Create As Many Problems As It Solves” included this explanation:

The final “network penetration” rule, unveiled on Thursday and set to go into effect at the end of 2017, tweaks the Defense Federal Acquisition Regulation Supplement to require U.S. Department of Defense contractors to report to the DOD whenever their networks containing “covered defense information” are breached, part of a broader recent push to improve cybersecurity.

The article includes these comments from Michael Scheimer (at Hogan Lovells):

…the final rule clarifies that contracts for “fundamental research” aren’t considered to involve covered defense information, and also clarifies that it does not cover contracts for commercial off-the-shelf, or COTS, items, both of which are improvements over the interim rules,

Given the daily cyber headlines it is critical that DOD be properly protected, and the rule appear to require more adjustments.

VIDEO: How does the EU Privacy Shield impact privacy for non-PII data or PCI?

Posted in eCommerce, Internet Privacy

Companies that transfer their accounting records between countries should know whether the new EU Privacy Shield applies to data whether it contains Personal Identifiable Information (PII) or PCI credit card information.  To learn more, please watch my recent video entitled “Data Transfer Agreements: What You Need to Know.

The video interview by SmartPros is part of a series of educational videos covering subjects in the accounting, financial services, legal, engineering and information technology industries.

Can the G7 really protect the financial world from cybercrime?

Posted in Cyber, eCommerce

Reuters reported that the Group of Seven (G7) industrial powers (Britain, Canada, France, Germany, Italy, Japan and the US) “agreed on guidelines for protecting the global financial sector from cyber attacks following a series of cross-border bank thefts by hackers.”  The October 11, 2016 report entitled “G7 sets common cyber-security guidelines for financial sector” included these comments:

Policymakers have grown more worried about financial cyber security in the wake of numerous hacks of SWIFT, the global financial messaging system, including an $81 million theft in February from the Bangladeshi central bank’s account at the New York Federal Reserve.

According to the G7 guidelines the “Cyber risks are growing more dangerous and diverse, threatening to disrupt our interconnected global financial systems” and contain the following Elements:

Element 1: Cybersecurity Strategy and Framework.

Element 2: Governance.

Element 3: Risk and Control Assessment.

Element 4: Monitoring.

Element 5: Response.

Element 6: Recovery.

Element 7: Information Sharing.

Element 8: Continuous Learning.

It’s hard to image that the G7 can be successful without buy in from all countries around the world.

Help make this Blog the top CYBER and PRIVACY Legal Blog!

Posted in Cyber, eCommerce, Internet Privacy

Please vote at the Expert Institute for this blog as the 2016 Best Legal Blog before voting ends on November 14, 2016 at 12 a.m. EST.

Legal Expert Best Blog 2016

I am most thankful for all my friends around the world who comment about my Cyber and Privacy blogs since I started this Internet, IT & eDiscovery blog in 2008, and appreciate their thoughts about my blogs.

It is an honor to be nominated for the 2016 Best Legal Blog and I will be humbled by your vote. Thanks in advance for your support.

“Top Secret” Electronic Records Stolen by NSA Cybersecurity Contractor!

Posted in Cyber, eCommerce

The New York Times reported that a cybersecurity contractor for the NSA (National Security Agency) was arrested based on allegations that “he stole and disclosed highly classified computer code developed to hack into the networks of foreign governments.”  The October 6, 2016 article entitled “N.S.A. Contractor Arrested in Possible New Theft of  Secrets” reported that Harold T. Martin III, who like Edward Snowden was a contractor with Booz Allen Hamilton “which is responsible for building and operating many of the agency’s most sensitive cyberoperations.”  The Criminal Complaint was filed in August 29, 2016 that:

He was charged with theft of government property, and unauthorized removal or retention of classified documents. During an F.B.I. raid of his house, agents seized documents and digital information stored on electronic devices. A large percentage of the materials found in his house and car contained highly classified information.

Mr. Martin’s attorneys issued the following statement:

We have not seen any evidence. But what we know is that Hal Martin loves his family and his country. There is no evidence that he intended to betray his country.

Time will tell, but this report of espionage is very disturbing!

GUEST BLOG: Can the FTC control the privacy of the IoT (Internet of Things)?

Posted in Cyber, eCommerce, Internet Access

My Guest Blogger Eric Levy is a senior attorney in Gardere’s Trial Practice Group who focuses on cyber security, PCI compliance, PII, eCommerce, and related complex litigation.

Eric Levy Pic

Apparently IoT is leading the FTC (Federal Trade Commission), the government watchdog of privacy, one step closer to broadening the scope of what it believes falls within the definition of “personally identifiable information” or PII.

As the Keynote Speaker at the Technology Policy Institute luncheon in Aspen, Colorado on September 20, 2016, FTC Chairwoman Edith Ramirez commented on the need for companies to honor the rights of individual consumers to retain control over their own PII in a digital world where the proliferation of IoT devices shows no signs of slowing down.

“In a world of connected devices, consumers often do not know which companies are doing what,” Ramirez explained, pointing out that a mobile device like a phone or tablet will involve a multitude of stakeholders (the manufacturer of the device, the creator of the OS, the carrier providing the connection and each app developer). Given this vast number of corporate actors, Ramirez remarked that resulting customer confusion could incentivize companies to pass the blame for the sale, loss or theft of PII onto another technology provider in the chain, the result being that consumers never find out how their data was appropriated or used.

In spite of this rather bleak outlook, Ramirez dismissed the idea that this new level of complexity has rendered traditional methods of obtaining consumer consent obsolete. She expanded on her position by noting that the FTC has already started taking steps to broaden the working definition of PII to include any data that can “be reasonably linked to a particular person, computer, or device.” She included as examples things like persistent identifiers, such as device identifiers, MAC addresses, static IP addresses, and retail loyalty card numbers.

Ramirez also said that device manufacturers and other consumer-facing companies should improve customers’ “ability to manage and express their privacy preferences” through things like “set-up wizards and settings menus … as well as dashboards where consumers can revisit and modify their choices.”

While it is too soon to say how far the FTC will push this expansion of consumer control and options, it seems likely that, as the definition of PII broadens, so too will the number of FTC enforcement actions. Be warned!

Antitrust challenge of Microsoft’s acquisition of LinkedIn!

Posted in eCommerce

The New York Times reported that Salesforce “has raised concerns with Europe’s antitrust authorities about the potential takeover” as to “…whether Microsoft’s proposed deal would hinder access by people and companies to the vast collection of data held by LinkedIn.” The September 29, 2016 article entitled “Salesforce Is Said to Question Microsoft-LinkedIn Deal in Europe” includes these comments from Burke Norton (’s chief legal officer):

Microsoft’s proposed acquisition of LinkedIn threatens the future of innovation and competition,
…Microsoft will be able to deny competitors access to that data, and in doing so obtain an unfair competitive advantage.

In response the New York Times included these comments from Brad Smith (Microsoft’s president and chief legal officer):

We’re committed to continue working to bring price competition to a C.R.M. [Customer Relationship Management] market in which Salesforce is the dominant participant charging customers higher prices today,

Stay tuned since Microsoft intends to proceed with its acquisition of LinkedIn.

Very likely that the cyberattacks against Southwest & Delta were directed your passenger data

Posted in Cyber, Internet Access

Darkreading reported that a recent cyber safety report to the Federal Aviation Administration (FAA) was based on a PriceWaterhouseCoopers’ survey of “85 percent of airline CEOs in the PwC survey cited cybersecurity as a major risk likely because of the very sensitive nature of passenger data and flight systems.”  The September 23, 2016 report in Darkreading was entitled “Advisory Body Calls For Stronger Cybersecurity Measures Across Airline Industry” and cited the RTCA (Radio Technical Commission for Aeronautics founded in 1935) which included:

…recommendations is on ensuring that manufacturers, carriers, maintenance facilities and airports maintain an adequate level of cyber preparedness on a routine, day-to-day basis.

The long-term goal is on ensuring not only that systems are properly secured up front when in development but also on making sure the systems are maintained that way during operations.

The Wall Street Journal report entitled “FAA Advisory Body Recommends Cybersecurity Measures” described the RTCA as:

The Federal Aviation Administration’s top technical advisory group adopted language seeking to ensure that cybersecurity protections will be incorporated into all future industrywide standards—affecting everything from aircraft design to flight operations to maintenance practices.

Stay tuned for more airline cyber disasters until these guidelines are in force!

500 million Yahoo users compromised by cyberintrusion, but Yahoo doesn’t plan to provide credit monitoring!

Posted in Cyber, eCommerce

Reuters reported that Yahoo would likely not need to “provide them with credit monitoring services” even though Bob Lord (Yahoo’s CISO) posted “An Important Message About Yahoo User Security”:

The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers.

The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data, or bank account information; payment card data and bank account information are not stored in the system that the investigation has found to be affected

Yahoo’s recommended users take many actions including:

  • Change your password and security questions and answers for any other accounts on which you used the same or similar information used for your Yahoo account.
  • Review your accounts for suspicious activity.
  • Be cautious of any unsolicited communications that ask for your personal information or refer you to a web page asking for personal information.
  • Avoid clicking on links or downloading attachments from suspicious emails.

Stay tuned as more details are revealed!

$1 trillion will be spent on Cybersecurity in the next 5 years!

Posted in Cyber, Internet Access

CSO recently predicted “a major uptick in cyber spending — to the tune of 12 to 15 percent year-over-year growth through 2021” in an article entitled “Cybersecurity spending outlook: $1 trillion from 2017 to 2021” which included these comments from the SANS Institute which were presented in February 2016:

Tracking security-related budget and cost line items to justify expenditures or document trends can be difficult because security activities cut across many business areas, including human resources, training and help desk.

Most organizations fold their security budgets and spending into another cost center, whether IT (48%), general operations (19%) or compliance (4%), where security budget and cost line items are combined with other related factors.

Only 23% track security budgets and costs as its own cost center.

Given the size of the cyber threat around the world we have little choice but spend these significant monies on Cybersecurity!