Internet, Information Technology & e-Discovery Blog

Internet, Information Technology & e-Discovery Blog

Social changes brought about by the Internet & Technology

Equifax confessed that it failed to protect personal data of 143+MILLION CUSTOMERS!

Posted in Cyber, eCommerce, Internet Privacy

The New York Times reported “that hackers had gained access to company data that potentially compromised sensitive information for 143 million American consumers, including Social Security numbers and driver’s license numbers.”  The September 7, 2017 report entitled “Equifax Says Cyberattack May Have Affected 143 Million Customers” included the bad news:

Potentially adding to criticism of the company, three senior executives, including the company’s chief financial officer, John Gamble, sold shares worth almost $1.8 million in the days after the breach was discovered.

The report included these comments:

An F.B.I. spokesperson said the agency was aware of the breach and was tracking the situation.

Last year, identity thieves successfully made off with critical W-2 tax and salary data from an Equifax website. And earlier this year, thieves again stole W-2 tax data from an Equifax subsidiary, TALX, which provides online payroll, tax and human resources services to some of the nation’s largest corporations.

Hopefully this is a wake-up call about cyber risk and the need for cyber insurance and incidence response plans.

Yahoo loses a court battle and a class action will proceed for massive cyber breaches in 2013-16!

Posted in Cyber

Reuters reported that “Yahoo must face nationwide litigation brought on behalf of well over 1 billion users who said their personal information was compromised in three massive data breaches.” On August 30, 2017 US District Judge Lucy Koh (Northern District of California- San Jose) in the case of In Re: Yahoo! Inc. Customer Data Security Breach Litigation ruled in favor of the class since:

All plaintiffs have alleged a risk of future identity theft, in addition to loss of value of their personal identification information.

The Reuters August 31, 2017 report entitled “Yahoo must face litigation by data breach victims: U.S. judge” included this background:

The breaches occurred between 2013 and 2016, but Yahoo was slow to disclose them, waiting more than three years to reveal the first. Revelations about the scope of the cyber attacks prompted Verizon to lower its purchase price for the company.

With this ruling many are speculating that Verizon, who recently bought Yahoo for $4.76 billion, will ultimately settle this class action rather than go to trial.

Google spent $19 million lobbying last year, is that good or bad?

Posted in eCommerce

Kenneth Vogel (no relation) reported in the New York Times that Google “ helped organize conferences at which key regulators overseeing investigations into the company were presented with pro-Google arguments, sometimes without disclosure of Google’s role.” The August 30, 2017 article entitled “Google Critic Ousted From Think Tank Funded by the Tech Giant” included these comments:

Google is very aggressive in throwing its money around Washington and Brussels, and then pulling the strings,

People are so afraid of Google now.

Some tech lobbyists, think tank officials and scholars argue that the efforts help explain why Google has mostly avoided damaging regulatory and enforcement decisions in the United States of the sort levied by the European Union in late June.

What do you think about Google’s lobbying efforts?

Less than 50% US businesses have cyber insurance, so what can they do to avoid a cyber disasters?

Posted in Cyber

Darkreading reported “some organizations refuse to buy cyber insurance out of the misguided notion that they don’t “need” to worry about being hacked, this mindset isn’t entirely at fault….many enterprises have been left high and dry by cyber-insurance policies that didn’t fully protect them after a major cyber attack.” The August 21, 2017 article entitled “The Pitfalls of Cyber Insurance” included these 10 strategies to protect all business from cyber criminals:

  1. Keep all software and operating systems updated (remember, WannaCry and NotPetya both attacked older versions of Windows)
  2. Run robust, up-to-date antivirus software
  3. Maintain compliance with industry and regulatory standards like HIPAA and PCI-DSS
  4. Continually monitor networks for suspicious activity, 24 hours a day, 365 days a year
  5. Have in-house and/or remote security staff on hand at all times to respond to anomalies and attacks
  6. Have a comprehensive, written cybersecurity policy that is regularly reviewed and updated
  7. Train all employees on cybersecurity best practices, such as how to spot phishing emails
  8. Control physical access to sensitive areas on its premises, such as server rooms
  9. Utilize other controls, such as firewalls, network segmentation, and encryption as appropriate
  10. Perform regular backups so that systems can be restored in the event of a ransomware attack, or even a natural disaster like a fire or flood

What will you to help help avoid cyber disasters?

Gates gives cellphone advice to help avoid the destruction of a generation!

Posted in Internet Access

Melinda Gates (think Bill & Microsoft) wrote a perspective in the Washington Post that she & Bill “don’t allow cellphones at the dinner table” which lead to “amazing conversation.” The August 24, 2017 perspective is entitled “Melinda Gates: I spent my career in technology. I wasn’t prepared for its effect on my kids” and included this background:

I spent my career at Microsoft trying to imagine what technology could do, and still I wasn’t prepared for smartphones and social media.

Like many parents with children my kids’ age, I didn’t understand how they would transform the way my kids grew up — and the way I wanted to parent.

I’m still trying to catch up.

The pace of change is what amazes me the most.

The challenges my younger daughter will be facing when she starts high school in the fall are light-years away from what my elder daughter, who’s now in college, experienced in 2010.

My younger daughter’s friends live a lot of their lives through filters on Instagram and Snapchat, two apps that didn’t even exist when my elder daughter was dipping a toe in social media.

Gates applauded the January 2017 French law allowing employees the “Right to Disconnect” after work hours.

Watch out! ‘Fancy Bear’ may be ready to steal your data while using hotel wifi!

Posted in Cyber, Internet Access

Wired reported about a “Russian espionage campaign has used those Wi-Fi networks to spy on high-value hotel guests, and recently started using a leaked NSA hacking tool to upgrade their attacks.” Wired’s August 11, 2017 report was entitled “Russia’s ‘Fancy Bear’ Hackers Used Leaked NSA Tool to Target Hotel Guests” which included FireEye’s report that:

…it first saw evidence that Fancy Bear might be targeting hotels in the fall of last year, when the company analyzed an intrusion that had started on one corporate employee’s computer.

The company traced that infection to the victim’s use of a hotel Wi-Fi network while traveling; 12 hours after the person had connected to that network, someone connected to the same Wi-Fi network had used the victim’s own credentials to log into their computer, install malware on their machine, and access their Outlook data.

That implies, FireEye says, that a hacker had been sitting on the same hotel’s network, possibly sniffing its data to intercept the victim’s credentials.

Maybe you should avoid hotel wifi!!!!

Here’s a good idea – don’t agree to cloud Click Agreements because the cloud is such a huge target for cybercriminals!

Posted in Cyber, E-Discovery, eCommerce

More businesses should use lawyers that understand how to negotiation cloud agreements because the Click Agreement don’t provide all necessary legal requirements given Cisco’s report that “The cloud is a whole new frontier for hackers, and they are exploring its potential as an attack vector in earnest…They also recognize that they can infiltrate connected systems faster by breaching cloud systems.”  The Cisco 2017 Midyear Cybersecurity Report advised companies who rely on the cloud (like every company on earth) that:

…they need to understand their role in ensuring cloud security.

Cloud service providers are responsible for the physical, legal, operational, and infrastructure security of the technology they sell.

Before agreeing to cloud Click Agreement you should check whether you lawyer understands how to negotiate cloud agreements!

No cyber insurance coverage for $800,000 loss for spearphishing (aka BEC -Business Email Compromise)!

Posted in Cyber, eCommerce

Businessinsurance.com reported that a court agreed with Traveler’s “which denied coverage on the basis the loss was not a “direct loss” that was “directly caused by the use of a computer” as required by the policy.” My friend Judy Greenwald wrote the article entitled “Manufacturer can’t recover spoofing email losses from insurer” about the ruling by the US District Judge, Eastern District of Michigan (Ann Arbor) in the case American Tooling Center Inc. v. Travelers Casualty and Surety Company of America which included these facts:

The vice president received emails purportedly from the vendor instructing ATC to send payment for several legitimate outstanding invoices to a new bank account, according to the ruling.

Without verifying the new banking instructions, ATC wire-transferred about $800,000 to a bank account that was not, in fact, controlled by the vendor.

The Judge granted Summary Judgment for Traveler’s since:

There was no infiltration or ‘hacking’ of ATC’s computer system,

The emails themselves did not directly cause the transfer of funds; rather, ATC authorized the transfer based upon the information received in the emails,”

No question that verification of the spoofed email would have avoided this result, but no monies would have been transferred.

GUEST BLOG: Is your business at risk for not knowing about the liability limits under the 911 Cybersecurity Laws (Safety Act)?

Posted in Cyber

My Guest Blogger Eddie Block (CISSP, CIPM, CIPP/G, CISA, CEH) is a senior attorney in Gardere’s Litigation Group and member of the Cybersecurity and Privacy Legal Services Team who focuses on all aspects of information cyber security, including credentialing functions, firewall and IDS deployment and monitoring, and penetration testing, and related complex litigation.  Eddie blogs at JurisHacker.

Interested in liability protections? Learn about the Safety Act.

The “Support Anti-terrorism by Fostering Effective Technologies Act of 2002 or Safety Act (no, I don’t know where the “Y” came from) seems to have flown under the radar for the past 15 years with few buyers or sellers of cybersecurity technologies taking advantage of the Act and its liability protections.

Passed in the wake of the terrorists attacks on September 11, 2001, the Act’s stated intent is to incentivize the development and deployment of Qualified Anti-Terrorism Technologies (QATT), including cybersecurity technologies, in a couple very specific ways.

First, the Act limits the Seller of a QATT’s financial liability to an amount determined by the Office of SAFETY Act within the Department of Homeland Security.  In exchange for carrying the required insurance, the seller’s liability is limited to the amount of that insurance (6 CFR Part §25.7(a)).  Additionally, no punitive, exemplary (§25.7(b)(1)), or noneconomic damages, “unless the plaintiff suffered physical harm” are available to the plaintiff (§25.7(b)(2)).

This is all great news for the Seller of a QATT, but what about their customers?  Section 25.7(d) extends these liability protections downstream:

“There shall exist only one cause of action for loss of property, personal injury, or death for performance or nonperformance of the Seller’s Qualified Anti-Terrorism Technology in relation to an Act of Terrorism. Such cause of action may be brought only against the Seller of the Qualified Anti-Terrorism Technology and may not be brought against the buyers, the buyers’ contractors, or downstream users of the Technology, the Seller’s suppliers or contractors, or any other person or entity. In addition, such cause of action must be brought in the appropriate district court of the United States.”

So putting it all together, any cause of action resulting from an Act of Terrorism regarding a QATT has exclusive federal jurisdiction, has a cap to awards, cannot include punitive, exemplary, or noneconomic (with exceptions) damages, and can only be brought against the Seller, not their subcontractors, suppliers or buyers.

What is an Act of Terrorism?  The determination of an Act of Terrorism is left to the Secretary of Defense (or their designee), but the requirements are that the Act:

  1. Is unlawful;
  2. causes harm; and
  3. uses methods designed or intended to cause mass destruction.

There is no requirement that the Act of Terrorism have a political basis.  Many attacks against public and private sector enterprises could fall under this umbrella.

Of course, this is a very high-level overview of a 10 page regulation, but with so many benefits for themselves and their customers, companies are tripping over themselves to get to the Office of Safety Act right?

Actually, according to the Approved Awards Search site only around a dozen companies have earned awards for cybersecurity related technologies.  In a world where over 300 vendors exhibited at the most recent BlackHat conference, it would seem that the ability to offer your customers any level of liability protection would make a great differentiator.

US Cyber insurance market exceeds $2.49 Billion!

Posted in Cyber, eCommerce, Internet Privacy

A report to the Cybersecurity (EX) Task Force explains the growth of cyber insurance to more than $2.49 billion in 2016 because “Cybersecurity breaches can cause a major drain on the U.S. economy”…and in particular “Financial Services Sector is perhaps the most under attack from cyber criminals.”  The August 6, 2017 “Report on the Cybersecurity Insurance Coverage Supplement” was provided by the National Association of Insurance Commissioners (NAIC) and the Center for Insurance Policy and Research which included these details:

  • Financial firms receive, maintain and store sensitive personal financial information from their customers.
  • Cyber criminals are interested in this sensitive information as it can be used for financial gain by stealing a person’s identity for fraudulent purposes.
  • We know from observation of the dark web that personal health information is much more valuable these days than personal financial information.
  • Nation states are also known to sponsor cyber-attacks for espionage or gaining access to corporate trade secrets and business processes.
  • A growing area of concern is ransomware used to extort payments from compromised firms.

No surprised in this report to the Cybersecurity (EX) Task Force!