Internet, Information Technology & e-Discovery Blog

Internet, Information Technology & e-Discovery Blog

Social changes brought about by the Internet & Technology

Do you trust Equifax? Apparently IRS believes a new $7.25 million contract with Equifax is a good idea!

Posted in Cyber, eCommerce

Gizmodo reported that IRS supports its new $7.25 million contract with Equifax as a “no bid sole source” contract “to help verify US taxpayers’ identities” …and without which “would have prevented thousands of hurricane victims from obtaining much needed…. tax information.”  The October 5, 2017 story entitled “IRS Chief Says Aborting Equifax Contract Could Harm Hurricane Victims” included IRS chief John Koskinen’s argument “that the circumstance was unavoidable” since Equifax existing contract expired on September 30, 2017, and was challenging an award to another vendor which will not be resolved before October 16.

CNBC reported that 7 “members of the Senate Banking Committee are asking the Internal Revenue Service to rescind a $7.25 million contract with Equifax” saying that:

…the awarding of the contract shows a clear disregard for millions of Americans who had their personal information stolen.

How can IRS trust Equifax since at least 143 million people don’t?

Surprised? Equifax learned about its cyber exposure in March, but failed to do anything!

Posted in Cyber, eCommerce

Rueters reported that former Equifax CEO Richard Smith (who retired suddenly last week) provided written testimony that “Equifax was alerted to the breach by the U.S. Homeland Security Department on March 9,…, but it was not patched.”  The October 2, 2017 report entitled “Equifax failed to patch security vulnerability in March: former CEO” included these comments about the testimony provided to the Energy and Commerce Committee:

On March 15, Equifax’s information security department ran scans that should have identified any systems that were vulnerable to the software issue but did not, the testimony said.

As a result, “the vulnerability remained in an Equifax web application much longer than it should have,” Smith said. “It was this unpatched vulnerability that allowed hackers to access personal identifying information.”

In his testimony, Smith said it appears the first date hackers accessed sensitive information may have been on May 13. He said “between May 13 and July 30, there is evidence to suggest that the attacker(s) continued to access sensitive information.”

Smith said security personnel noticed suspicious activity on July 29 and disabled the web application on July 30, ending the hacking. He said he was alerted the following day, but was not aware of the scope of the stolen data.

On Aug. 2, the company alerted the FBI and retained a law firm and consulting firm to provide advice. Smith notified the board’s lead director on Aug. 22.

We will likely continue to see bad news in the aftermath of Equifax’s confession of exposing more than 143 million individuals personal data.

GUEST BLOG: Will cyber disasters finally be the reason that IT folks learn to speak English rather than Geek Talk (think Technology)?

Posted in Cyber, IT Industry

My Guest Blogger Eddie Block (CISSP, CIPM, CIPP/G, CISA, CEH) is a senior attorney in Gardere’s Litigation Group and member of the Cybersecurity and Privacy Legal Services Team who focuses on all aspects of information cyber security, including credentialing functions, firewall and IDS deployment and monitoring, and penetration testing, and related complex litigation.  Eddie blogs at JurisHacker.

For many years I have said that “anybody that’s good with computers is incapable of having a meaningful relationship with another human,” so I was pleased to see Eddie’s blog:

Translation services available

When I was a penetration tester I struggled to adequately express the importance of the vulnerabilities I identified.  For some reason, I couldn’t convince the business and legal teams that the vulnerabilities had to be mitigated and that the business had to spend time and money on the effort.

Like many young and excitable IT and security people, I couldn’t understand why no one could grasp why this was important.  “Are they idiots?”, “Don’t they get it?”, “They just don’t care about security!”

It turns out it wasn’t their failure, but mine.  I wasn’t speaking in the right language.

I dropped out of the security world for three years and went to law school.  When I enrolled, my goal was not to become a lawyer, but to learn to think and write like a lawyer.  I enjoyed law school and took full advantage of the opportunities presented to me.  I was able to work as a research assistant for one of the legal research and writing professors (Thanks Mike!), serve on the editorial board of the Law Journal, earned a fellowship in the Center for Terrorism Law, and leveraged my IT skills to get a job in the Westlaw lab.

I really enjoyed law school.

After law school I returned to security, this time with a different language under my belt and a better understanding of how to present my concerns.  I couldn’t think in terms of security vulnerabilities anymore.  I had to speak another language.

My big discovery was:

  • Security thinks about vulnerabilities;
  • Executives think about risk; and
  • Lawyers think about liability.

While they sound similar, they are distinct ways of approaching a decision.  In order to communicate the importance of security to different audiences, I had to adapt to them and not expect them to adapt to me.

So need additional funding for a security project?  Write up your proposals geared toward the audience and how they think.  Does the lack of a security control create risk to the organization?  Will the organization breach a duty and become liable under a contract, law, or regulation?

These subtle shifts in thinking may help drive the discussion forward and lead to better understanding and better security.

Poor cyber security equals +1.9 billion records exposed in the first 6 months of 2017!

Posted in Cyber

Gemalto issued a report that “identity theft breaches continues to remain high and result in many records being stolen shows that organizations are still not adequately addressing this threat.” The September 2017 report entitled “2017 Poor Internal Security Practices Take a Toll” included these comments:

A large portion of accidental loss are the result of poor internal security practices or unsecure databases.

One of the main takeaways from the findings is that security needs to be comprehensive, not only including tools such as network protection and access controls, but data encryption and multi-factor authentication as well so in the event of a breach cyber criminals will not be able to doing anything with the stolen information.

Gemalto’s “Data breach statistics 2017: First half results are in” about the report stated:

  • The huge international data breach problem becomes palpable when you consider that Gemalto has discovered 1,901,866,611 compromised data records in just the first half of 2017.
  • In fact, IDC predicts that by 2020, more than 1.5 billion people, or roughly a quarter of the world’s population, will be affected by data breaches.
  • The United States has been continuously the world leader in data breach incidents.
  • Of the 918 breaches, 801 of them occurred in the US. The UK places a distant second with 40 incidents, and Canada’s third with 26.

No surprises, but these are pretty gloomy prospects for the future!

GUEST BLOG: Are you surprised to hear that Equifax’s security chief doesn’t have a degree in technology, rather majored in music?

Posted in Cyber, IT Industry

My Guest Blogger Eddie Block (CISSP, CIPM, CIPP/G, CISA, CEH) is a senior attorney in Gardere’s Litigation Group and member of the Cybersecurity and Privacy Legal Services Team who focuses on all aspects of information cyber security, including credentialing functions, firewall and IDS deployment and monitoring, and penetration testing, and related complex litigation.  Eddie blogs at JurisHacker.

What qualifies a CISO?

Since the Equifax breach a screenshot of the CSO’s music degrees has been floating around the Internet.

As a Classical Civilizations undergrad, I take issue with the implications.  During college I built networks and databases and worked on systems of all types.  I also spent my summers on archaeological sites in Israel.

After graduating from college, I worked helpdesk support, moved into system administration, started securing systems and networks.  I eventually became a full time pentester.  Midcareer, I dropped out of InfoSec and went to law school.

After law school I went back into security doing product security, working with DoD networks, and securing a $20 billion enterprise.  I eventually served as the Chief Information Security Officer for the State of Texas.

So I was the CISO for a state of 28 million people with degrees in Classical Civilizations and Law.  Does that make me unqualified for my job?  Should I have stuck with my life in archaeology?

I know a loooottttttt of people in InfoSec with no or unrelated degrees.  In fact there was almost no university offering a security degree when I or my friends were in college.

What makes a security person?  Curiosity.  Grab all the degrees and certifications you want, without a natural curiosity of how things work (and more importantly break) you won’t make it in InfoSec.  Making things work in unintended ways is the fundamental tenant of security.  The most important word in InfoSec is “Huh?”

So was Ms. Mauldin qualified to lead Equifax’s security program?  I don’t know, but I won’t make that judgment base of her degrees.

 

Oops! Malware distributed with antivirus software to more than 2.27 million users!

Posted in Cyber

My good friend Kevin Campbell (SVP/CIO at Hunt Consolidated, Inc.) shared this bad news that “Antivirus firm Avast has admitted inadvertently distributing a trojanised version of CCleaner, a popular PC tune-up tool, for nearly a month, infecting an estimated 2.27 million users.”  This news was reported by The Register on September 18, 2017 entitled “Downloaded CCleaner lately? Oo, awks… it was stuffed with malware” which included this observation:

The attack is particularly dangerous because it exploits the trust consumers have with their software suppliers, a vector that has been seen before.

Thanks to Kevin for sharing this terrible news!

GUEST BLOG: Neither Rain, nor Sleet, nor Dark of Night Shall Stay the Application of HIPAA Regulations…

Posted in Cyber, Internet Privacy

My Guest Blogger Eric Levy is a senior attorney in Gardere’s Trial Practice Group who focuses on HIPAA, PHI, cyber security, PCI compliance, PII, eCommerce, and related complex contract negotiations and litigation. Eric has received the Certified Information Privacy Professional (CIPP-US) designation from the International Association of Privacy Professionals (“IAPP”).

It is beyond dispute that Hurricanes Harvey and Irma caused catastrophic levels of property damage to individuals and businesses in Texas, Florida and the rest of the Gulf Coast. In the midst of this devastation, however, the Office of Civil Rights (OCR) recently made a point to identify a particular type of property that cannot, under any circumstances, be permitted to be damaged by natural disaster: electronic protected health information (e-PHI).

Per OCR, the HIPAA Security Rule is not suspended at all during a national or public health emergency. Covered entities and business associates are required, under the Security Rule, to protect against any reasonably anticipated threats or hazards to the security or integrity of e-PHI that they create, receive, maintain or transmit. Other provisions of the Security Rule require covered entities to implement security measures that specifically contemplate emergency conditions. For example, covered entities and potentially business associates must have contingency plans, including disaster recovery and emergency mode operation plans, which establish policies and procedures for responding to an emergency or other occurrence (fire, system failure and natural disaster) that damages systems that contain e-PHI. In other words, companies that obtain, store and/or use e-PHI must take steps to ensure that all such e-PHI is accessible before, during and after an emergency, including backing up the data to the cloud or another secure location (one that will not be impacted by the emergency afflicting the covered entity).

Parts of the HIPAA Privacy Rule may be waived during a national or public health emergency. If the President declares an emergency or disaster and the HHS Secretary declares a public health emergency, the Secretary may waive sanctions and penalties against a covered hospital that does not comply with certain provisions of the HIPAA Privacy Rule, including the requirement to distribute a notice of privacy practices and the patient’s right to request privacy restrictions or confidential communications. If the Secretary issues such a waiver, it only applies: (1) in the emergency area and for the emergency period identified in the public health emergency declaration, and (2) to hospitals that have instituted a disaster protocol for up to 72 hours from the time the hospital implements that protocol. Regardless of the activation of an emergency waiver, the HIPAA Privacy Rule permits disclosures for treatment purposes and certain disclosures to disaster relief organizations. For instance, the Privacy Rule allows covered entities to share patient information with the American Red Cross so it can notify family members of the patient’s location.

Judge Posner who relied on Wikipedia retires at 78

Posted in Social Media

Judge Richard Posner served for 35 years and was famous for his reliance on Wikipedia as legal authority for the past 10 years was known for his “restless intellect, withering candor and superhuman output made him among the most provocative figures in American law in the last half-century.”  The New York Times September 11, 2017 article entitled “An Exit Interview With Richard Posner, Judicial Provocateur” included these observations about the retirement of Judge Posner (US 7th Circuit Court of Appeals):

The immediate reason for his retirement was less abstract, he said.

He had become concerned with the plight of litigants who represented themselves in civil cases, often filing handwritten appeals.

Their grievances were real, he said, but the legal system was treating them impatiently, dismissing their cases over technical matters.

Before his appointment to the bench he was a well-respected law professor at the University of Chicago where many of my friends have reflected about his great teaching prowess.

Equifax confessed that it failed to protect personal data of 143+MILLION CUSTOMERS!

Posted in Cyber, eCommerce, Internet Privacy

The New York Times reported “that hackers had gained access to company data that potentially compromised sensitive information for 143 million American consumers, including Social Security numbers and driver’s license numbers.”  The September 7, 2017 report entitled “Equifax Says Cyberattack May Have Affected 143 Million Customers” included the bad news:

Potentially adding to criticism of the company, three senior executives, including the company’s chief financial officer, John Gamble, sold shares worth almost $1.8 million in the days after the breach was discovered.

The report included these comments:

An F.B.I. spokesperson said the agency was aware of the breach and was tracking the situation.

Last year, identity thieves successfully made off with critical W-2 tax and salary data from an Equifax website. And earlier this year, thieves again stole W-2 tax data from an Equifax subsidiary, TALX, which provides online payroll, tax and human resources services to some of the nation’s largest corporations.

Hopefully this is a wake-up call about cyber risk and the need for cyber insurance and incidence response plans.

Yahoo loses a court battle and a class action will proceed for massive cyber breaches in 2013-16!

Posted in Cyber

Reuters reported that “Yahoo must face nationwide litigation brought on behalf of well over 1 billion users who said their personal information was compromised in three massive data breaches.” On August 30, 2017 US District Judge Lucy Koh (Northern District of California- San Jose) in the case of In Re: Yahoo! Inc. Customer Data Security Breach Litigation ruled in favor of the class since:

All plaintiffs have alleged a risk of future identity theft, in addition to loss of value of their personal identification information.

The Reuters August 31, 2017 report entitled “Yahoo must face litigation by data breach victims: U.S. judge” included this background:

The breaches occurred between 2013 and 2016, but Yahoo was slow to disclose them, waiting more than three years to reveal the first. Revelations about the scope of the cyber attacks prompted Verizon to lower its purchase price for the company.

With this ruling many are speculating that Verizon, who recently bought Yahoo for $4.76 billion, will ultimately settle this class action rather than go to trial.