Internet, Information Technology & e-Discovery Blog

Internet, Information Technology & e-Discovery Blog

Social changes brought about by the Internet & Technology

Southwest Airlines – Cyberattack or failed disaster recovery?

Posted in Cyber, eCommerce, IT Industry

One might conclude that there had been a cyberattack after Southwest Airlines cancelled more than 700 flights on July 21, 2016, but Southwest claimed that the IT system failed and then “…the backup failed and then the restoration process also failed. It took about 12 hours to finally get all the systems restored” according to CEO President Gary Kelly as reported by the Dallas News on July 21, 2016 and which also had this comment about some of the impacts of the outage:

…which affected customer-facing portions of the company’s operation including passenger check-in, printing boarding passes, buying tickets and rescheduling itineraries.

Computerworld‘s entitles “Southwest Airlines delays flights after computer issues” included this comment:

Southwest did not immediately respond to a request for information on what the technology problem was. It said in the statement that it had a team of experts working to resolve the technical issues and the systems were gradually coming back online.

The team of experts may conclude that there was a cyberattack since IT backups and restoration are not designed to fail!

Microsoft contempt ruling overturned for failing to produce emails in Ireland!

Posted in Anonymous Internet Activity, E-Discovery, eCommerce, Internet Access, Internet Jurisdiction, Internet Privacy

In 1986 Congress passed the Stored Communications Act (SCA) to control telephone records long before the Internet we know today, but the SCA is the main law that Internet companies rely to protect users’ content and in 1986 in passing the SCA “Congress focused on providing basic safeguards for the privacy of domestic users.” Nonetheless in 2014 the New York a trial court found Microsoft in contempt for failing to produce emails of an alleged criminal stored on serves in Ireland which Microsoft refused to do given Irish law.

Ultimately on July 14, 2016 the 2nd Circuit reversed the trial court and ruled in Microsoft v. United States of America that:

…§2703 of the Stored Communications Act does not authorize courts to issue and enforce against U.S.‐based service providers warrants for the seizure of customer e‐mail content that is stored exclusively on foreign servers.

The Washington Post reported that Brad Smith (Microsoft President and Chief Legal Officer) said in an email:

The decision is important for three reasons: it ensures that people’s privacy rights are protected by the laws of their own countries; it helps ensure that the legal protections of the physical world apply in the digital domain; and it paves the way for better solutions to address both privacy and law enforcement needs,…

There is no telling if Congress won’t change the SCA or how the Supreme Court may view this dispute if the Justice Department decides to appeal.

Cyber risk for HIPAA data increasing as criminals are now focused at healthcare technology!

Posted in Cyber, eCommerce, Internet Access

There is little surprise to learn that cybercriminals are now focused at “healthcare IT infrastructure,…also connected medical devices, mobile computing devices used by medal staff and, most profitably, electronic health records (EHR) systems.”  The July 12, 2016 DarkReading report entitled “Healthcare Hacks Face Critical Condition” referenced InfoArmor’s report “Healthcare under attack – CyberCriminals Target Medical Institutions” which included these observations:

…four attacks against US-based healthcare organizations, attackers in a theft campaign this spring were able to steal at least 600,000 detailed patient records and place 3 terabytes of associated data on the Dark Web’s black market.

These included MRI and X-ray images, patient-specific biometrics, and doctor’s treatment notes. In initial reports of the breaches that came to light last month, the threat actors themselves claimed they had access to millions of records, as well as persistent unauthorized access to  medical organizations’ systems for ransomware distribution.

HIPAA “Covered Entities” need to be on high alert!

Spoliation or Privacy “Right to be Forgotten”? – Google’s new service “My Activity” allows you to delete your history!

Posted in Cyber, E-Discovery, Internet Privacy

People should be thoughtful of using My Activity because destroying your Google history in litigation may lead to a claim of spoliation (destruction of evidence) when using Google’s recently launched My Activity which “is a central place to view and manage activity like searches you’ve done, websites you’ve visited, and videos you’ve watched.”  My Activity specifically allows the following activities which can be deleted:

  • Delete items individually
  • Delete related activity
  • Delete activity using search & filters
  • Delete activity from a certain day or time period
  • Delete everything in My Activity

All together My Activity allows the following controls:

  • Control what activity gets saved to your account
  • “Device Information” setting
  • Delete searches & other activity from your account
  • See and control your search & browsing activity
  • Google Voice & Audio Activity
  • Manage and delete your Location History
  • Manage your watch history
  • View or delete search history

How can you use this to help control your Google history while at the same time not spoliating evidence?

Court rules that Travelers must defend cyberintrusion of medical records (HIPAA?) under CGL policy

Posted in Cyber, eCommerce

An appellate court agreed that “Travelers is duty bound under the Policies to defend Portal [Portal Healthcare Solutions, L.L.C.] against the class-action complaint”…that “alleges that Portal and others engaged in conduct that resulted in the plaintiffs’ private medical records being on the internet for more than four months.”  In the case of The Travelers Indemnity Company of America v. Portal Healthcare Solutions, L.L.C. on April 11, 2016 the 4th Circuit Court of Appeals affirmed the trial court denying Traveler’s claim for declaratory judgment that it did not have a duty to defend under it’s CGL policy:

…that it was required under Virginia law to “follow the ‘Eight Corners’ Rule” by looking to “the four corners of the underlying [class-action] complaint” and “the four corners of the underlying insurance policies” to determine whether Travelers is obliged to defend Portal.

This case has limited import in 2016 since this was an older CGL policy which did not include a cyber exclusion, which most policies do today.

Good idea -Ransomware may be avoided if you backup your data to 3 locations!

Posted in Cyber, eCommerce

Webroot recommends that you “need to set up a regular backup regimen that at a minimum backs up data to an external drive, or backup service, that is completely disconnected when it is not performing the backup.”  On May 18, 2016 Webroot issued “A Guide to Avoid Being a Crypto-Ransomware Victim” which included these recommendations for which “data and systems are backed up in at least three different places”:

  • Your main storage area (file server)
  • Local disk backup
  • Mirrors in a cloud business continuity service

The report included this subtitle “Over 15 Practical Things You Can Do To Protect Your Organization and Data” so I recommend you review the entire report.

Cybersecurity jumps to the 9th top concern of 91% of manufacturers!

Posted in Cyber, eCommerce

BDO’s annual RiskFactor Report for the first time cites that manufacturers’ top 10 concerns about “operational infrastructure risk, including information systems and implementation of new systems and maintenance.”  The “2016 BDO Manufacturing RiskFactor Report” issued in June 21, 2016 introduced the subject with this headline “Manufacturers Scamper to Shore Up Security” and these comments:

Manufacturing was the second-most targeted industry for cyber attacks in 2015, according to IBM. While the industry may have flown under the radar as high-profile attacks against the retail, financial services and healthcare industries made headlines, manufacturers’ information, intellectual property and products have become prime targets for cyber criminals.

The Top 25 Risk Factors cited in 10-Ks that BDO reviewed listed that “Breaches of technology security, privacy, theft, computer crime” is now #9 and the list of all 25 (“t” indicates a tie in the risk factor ranking”:

#1 U.S. and foreign supplier/vendor concerns and distribution disruptions

#2 Federal, state and/or local regulations

#3 Labor concerns/underfunded pensions

#3t Competition & consolidation in manufacturing

#3t Commodity/raw material prices

#6 General economic conditions

#7 Environmental regulations, laws and liability

#8 Threats to international operations and sales

#9 Breaches of technology security, privacy, theft, computer crime

#9t Currency risk, including exchange, fluctuation

#9t Inability to manage, complete and integrate current or future M&A, joint ventures, divestitures or other transactions

#12 Ability to maintain operational infrastructure, including information systems, implementation of new systems

#12t Business Interruption (natural disasters, war, conflicts and terrorist attacks)

#12t Failure to properly execute corporate strategy

#15 Access to capital or liquidity

#15t Less demand for products

#17 Ability to develop and market quality products that meet customer needs/innovation

#18 Legal proceedings, litigation

#18t Restrictive international trade policies

#18t Product quality or contamination issues, recalls

#21 Attract/retain/motivate key personnel and management

#22 Customer/vendor/partner’s ability to finance, access to capital

#23 Anti-corruption/anti-bribery laws and regulations, including FCPA

#23t Intellectual property or trademark infringement

#23t Insurance costs and potential losses due to uninsured liabilities

#26 Fluctuation in fuel/energy/oil/transportation costs

#26t Accounting standards, including internal controls and financial reporting

Interesting news, but hardly a surprise!

Do you trust the government to set morals for AI (Artificial Intelligence) to drive cars?

Posted in eCommerce, IT Industry

The New York Times’ article about the morality of AI auto driving decisions may be based on  “government requirements for autonomous car morality might be one way to go, though the people surveyed in the Science article say they are not keen on that. Manufacturers could also tailor morality to a buyer’s choice.” The June 24, 2016 article entitled “When Machines Will Need Morals” started with example:

You’re driving through an intersection and three people step into the road; the only way to avoid hitting them is to steer into a wall, possibly causing serious injury to yourself. Would you sacrifice yourself?

Given the political debate going in 2016 on lots less complicated issues, I think most folks would not want the government to make the rules of morality for AI driven autos.

What do you think?

Great news! Cyberinsurance for Spearphishing (BEC) now available from Grandpoint Bank

Posted in Cyber, eCommerce

Reuters reported that “Grandpoint said the coverage includes losses from wire-transfer scams including business email compromise [BEC]. In business email compromise schemes, fraudsters pose as executives or vendors from a business, sending requests for money transfers to accounts controlled by criminals.”  Grandpoint operates in Southern California, Arizona and Southern Washington and Reuters reported that:

Grandpoint said the policy, which is underwritten by Hiscox Inc, a unit of Hiscox Ltd, costs $30 to $70 per month for up to $1 million in coverage.

Reuters also pointed out that:

The approach is similar to mobile phone carriers offering customers insurance for lost or stolen phones, which is also available directly through insurers.

Let’s watch to see if other banks now start offering Cyberinsurance.

Cybersecurity strategies for CISOs includes clear communications in plain English, not technical jargon!

Posted in Cyber, eCommerce

Forrester’s Report includes this observation for CISOs [Chief Information Security Officers] that creating “and maintaining a security strategy is fundamental for CISO success” but “…business colleagues need to be able to understand your strategy. If you cannot communicate it in a clear and concise manner, then all of your work will have been in vain.”  Forrester’s April 25, 2016 whitepaper published by Armor was entitled “Six Steps To A Better Security Strategy” and includes this comment about Step No. 1: Become A Credible Stakeholder:

As a security leader, your job is far more than just ensuing compliance; you have to be an expert, a collaborator, a consultant, and a decision-maker. For business executives to take your security strategy seriously, they must first see you as a capable executive. This requires some work:

Understand your organization. To be credible, you have to demonstrate that you understand what your organization does, makes, or sells, along with how it’s doing financially. More importantly, you should get to know its customers and what they care about.

Know the personalities. It’s vitally important that you understand who the key stakeholders are in your company and what their responsibilities are; their specific goals and pet projects will drive security requirements.

Here are all 6 Steps:

Step No. 1: Become A Credible Stakeholder

Step No. 2: Connect With The Business

Step No. 3: Find The Gaps

Step No. 4: Identify Security Challenges

Step No. 5: Brainstorm New Opportunities

Step No. 6: Bring It All Together

Good advice to help CISOs!