NY Shield Act and Inadvertent Disclosure

About a year ago the Governor of New York signed the SHIELD act into law. Among other things, the law broadened the definition of a breach to include ACCESS to the data, not just stealing it. It also broadened the definition of personally identifiable information. Notice that no one talks about non-public personal information any more; personal information is personal information. It also says that all businesses need to have a reasonable cybersecurity program. My definition of reasonable is one that you can convince 12 jurors, who don’t really want to be there and who have had their own personal information stolen more times than they can remember, is reasonable. An alternative definition is the best commercial practices available consistent with the risk. If you are the corner deli and you email people the daily specials and all you have is their name and email address, that is a different level of risk than, say, a mortgage company. Finally, the law dramatically expanded the reach of the law to include any company, anywhere, that has private information of New Yorkers. That means that if you have a website and it collects personal information, you are likely covered. Especially if you have a breach.

But it also includes an exemption for “inadvertent disclosure”. What is important understand is that using this exemption in case of a breach comes with some risk.

Well what does inadvertent mean?

OF COURSE, the law does not define it, but it does say that to be inadvertent, all of the following must apply: (a) the disclosure was inadvertent (circular reasoning), (b) it was disclosed by someone who was authorized to access the information and (c) the exposure is “not likely” to result in any of the following (1) misuse of the information, (2) financial harm or (3) emotional harm. It also requires businesses to document the findings in writing and keep that documentation for 5 years (in case you get sued, they can hang you, so to speak, with your own documents). And, if the breach affected more than 500 people, you must provide the Attorney General with a copy within 10 days of completing the determination.

There is, however, no case law defining inadvertent or likely. That means that you should use the exemption carefully, after consulting with legal counsel.

It should be pretty easy to determine whether the disclosure was inadvertent and whether the person who disclosed is authorized. What is harder to understand is the potential harm possibility.

Also remember it covers any company who has customers in New York, no matter where the company is located.

Welcome to the world of risk management. Not an easy job these days.

See the Law.com article for more details.

Credit: Law.com (note-registration required)

Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending May 22, 2020

AG Says They Unlocked Shooter’s iPhone Without Needing Apple to Hack Their Security

For a couple of decades the FBI and Justice Department has been saying that software vendors need to insert backdoors into their security software to make it easier for the government to hack it if they want to.

One high profile case was the Pensacola Naval Air Station shooter, who was killed by police in the attack (making it difficult to prosecute him). Therefore, the FBI didn’t need anything off his phone to prosecute him, BUT they did want info in order to get useful intelligence about who he was working for/with and what other attacks might be planned.

In spite of the AG’s relentless claims that they need companies like Apple to insert backdoors into their systems – which will inevitably get into the hands of hackers and ruthless governments – Barr announced this week that they broke into the phones without Apple’s help. Barr said that hacking the phones was due to the great work of the FBI. Much more likely, they just placed the phone in a Cellebrite box (or competitor) and wait.

What probably galls Barr is that if he doesn’t have an unlimited license (which I am sure he does), he would have had to pay Cellebrite $1,500 for each phone he wanted to unlock.

This announcement definitely weakens the argument that software vendors need to weaken security for everyone so that the police can hack phones when it is important. Credit: The Register

Rogue ADT Tech Spies on Customer CCTV of Teen Girl

ADT has revealed that one of their techs used his permissions to access the accounts of hundreds of ADT customers and watch them via their security cameras. Last month an ADT customer in Dallas spotted an unexpected email address listed as an admin user on their account. The employee has used that email to access the home’s cameras over 100 times.

Apparently, not only could he spy on naked customers, but he could also unlock their homes if they had smart locks. One of the naked customers in question sued ADT last week.

People need to think about where they place security cameras and whether smart locks are really smart to use. Credit: The Register

Details Leaking on WHY for Prez’s EO on Securing the Grid

Earlier this month, the president issued an EO that sorta, kinda stopped the power grid from buying things that could allow adversaries to compromise the grid. I said sorta, kinda because the EO (read the text) doesn’t actually identify anything that people can’t buy. It does, however, form a committee to figure out what that might be.

Here’s what’s new. A U.S. power utility discovered a “hardware backdoor” on a Chinese transformer that was delivered to them and that they found things “that should not be there”. They think there are many of these already installed in America.

If true and I have no reason to doubt it, but almost no details to confirm it, that could be a really serious problem. A bigger problem is that the U.S. doesn’t manufacture any big transformers like the kind the utilities use.

So, if the feds ban Chinese transformers, I can describe a scenario where folks working in cooperation with the Chinese destroy a sufficient number of existing transformers with utilities not allowed to buy replacements and potentially leaving millions in brown-out or black-out conditions for months. Homeland Security is believed to have been secretly trying to figure out a solution for several years. Credit: CSO Online

Hackers Jailbreak New Apple iOS One Day After Release

Apple announced a new version of the iPhone software, 13.5, this week and the next day hackers claimed they had a hack to jailbreak the new version – every device, even the iPad Pro. That can’t possibly make Apple happy, but there are some in the hacking community that are very happy. Credit: Mac Rumors

Chinese Hardware Powers US Voting Machines

Third party risk company Interos took apart one very popular, widely used, touch screen voting machine and found that 20% of the machines components came from a company headquartered in Russia or China. 59% of the parts came from companies with locations in Russia and China.

Interos Visualization of Voting Machine Suppliers by Country. Image courtesy of Interos.

The red dots represent components from companies based in China. Given the the U.S. manufactures very little any more, this is not much of a surprise.

Paper based vote by mail sounds better by the day. Credit: Security Ledger

Facebooktwitterredditlinkedinmailby feather

Japan Defense Contractors Hacked Like US Contractors

There is this expression – misery loves company. Well, maybe, the group of U.S. defense contractors who have been hacked feel better that they are not alone.

Of course, maybe not.

I am not sure why this information is coming out now, but, if we assume that the groups who are attacking the Japanese are also attacking us, getting information is good.

The Japan Ministry of Defense said that there was an attack on Mitsubishi earlier this year and information related to bidding for defense research contracts was likely stolen in a breach. This happened because Mitsubishi took paper documents that were sensitive, scanned them and put them on their internal network, which was hacked. Mitsubishi didn’t disclose the breach for 6 months, which probably didn’t make the Ministry too happy. They said, surprise, that China was likely behind the attack.

In January 2020, NEC, another Japanese tech company, admitted their network was hacked back in 2016 and the hack was discovered in 2017. The data that was stolen was encrypted, but decrypted in 2018. They discovered that 27,000+ files belonging to NEC’s defense business were stolen.

Recently, Pasco Corp and Kobe Steel who are also defense contractors, disclosed a breach dating back to 2015, followed by a second breach in 2016. Pasco does aerial image surveillance. What might be sensitive there? Kobe sells underwater submarine launch tubes and other parts to Japan’s military.

While I am not clear why we are hearing about breaches dating back to 2015 just now, the range of companies breached is broad.

This likely means that American companies that are anywhere in the defense food chain are likely targets and should increase their level of vigilance.

One unsettling disclosure it that it took some of the companies years to figure that they had been hacked and even more years to figure out what was taken.

Credit: CISO Magazine

Facebooktwitterredditlinkedinmailby feather

Internet Voting – Safe or Not?

If you ask the Department of Homeland Security, FBI or the Election Assistance Commission, they say Slow down, bucko.

Securing Internet voting is hard to do. Very hard to do.

Internet voting falls into several categories:

  • Sending ballots digitally to voters
  • Sending ballots digitally, marking them only and printing out the results to return the old fashioned way
  • Ballots that are both sent and received digitally

There are dangers to all of these, but the most dangerous is the last.

Some states are experimenting with digital voting in limited ways – say in primaries or for voters with disabilities.

There is a lot of attractiveness to online voting. For one thing, it is simpler for the end user. After all, I don’t understand the attractiveness of waiting on a line with hundreds of strangers for several hours to cast a vote that might take a minute or two if it could be done safely online.

Of course it would cost states billions to upgrade their antique voting management process to support digital voting – ignoring the security issues.

But think about it this way –

Who would want to change your ballot anyway? The answer is that the list is very long from nation states, to competitive candidates to people who want to cause chaos to any number of people.

Then the other problem. Over the last 10 years we have been working very hard to figure out how to be technically able to verify votes that are cast at polling centers on PCs. Finally, many states, but not all, are requiring these PCs (they call them voting machines, but they are really just Windows or Linux PCs) to print out a slip of paper with your votes on them. Some, including Colorado, requires these slips to have human readable text that allows the voter to read the receipt and say “yup, those are the people that I voted for”. Some receipts have just a QR code on it. How does that help the voter know whether his or her vote was recorded correctly.

When it comes to pure digital voting, how would you know if the digital ballot you completed was ever received by the county clerk or whether it was changed, somehow, along the way? Currently, no way at all.

If the clerk sends you a ballot and you print it out and return it by mail or in person, it is, maybe, possible to hack, but not in any large way, so the risk is lower.

At some point we will get to all digital voting, but it will take time.

There are too many folks that would really like to undermine the confidence of the American public in the outcome of the election .

Just this year the President has said time and again that even plain old paper ballots sent and returned by mail are a major fraud problem. Colorado has been doing just that for 5 years now with no evidence of major fraud, but lets assume for the moment, that voting on paper ballots with ink via the mail does increase fraud by some percentage. Imagine what the President might say about fully digital voting.

Credit: Washington Post

Facebooktwitterredditlinkedinmailby feather

Cyber Insurance Demand Heats Up

Insurance brokers and industry attorneys say that cyber insurance is heating up.

They are seeing both an uptick in CLAIMS and an uptick INQUIRIES, likely as a result of an uptick in attacks.

Actually, the uptick in attacks is more like a flood since Covid-19 came around. Note that many of them won’t be detected until business as usual resumes – whenever that is.

The issue is that the move to work at home has increased the attack surface, for a lot of reasons, including the fact that companies did not have the time to plan for it.

At least some of you have cyber policies, so here are some questions to be asking. For those of you buying, this is a great time to ask questions.

First of all, do you have the right coverages. We have seen many policies that do not include ransomware coverage. Kind of a problem these days.

Insurance broker Marsh says that they are not seeing Covid-19 exclusions (or more generally pandemic exclusions) – yet.

But they are seeing carriers asking more questions – for example about disaster recovery and business continuity – things that would be very important to have during a ransomware attack and which, if not in place, will definitely cost the carrier a lot of money to spin up in real time.

Aon says they are seeing more scrutiny during underwriting. The carriers are asking about whether prospects have adequate security measures in place for remote working.

Then there is that wonderful catchall – do you maintain reasonable security measures? That is something that your lawyer and your insurance company’s team of lawyers can argue about for a long (expensive) time.

Zurich insurance says that businesses who are dealing with the pandemic should focus on risk mitigation and conduct cyber risk assessments to identify their specific risks.

Then there are basic questions like the definition of a computer network. Is your employee, using his or her personally owned computer, running on his or her personally owned WiFi connection, considered part of your computer network? What about personally owned hardware? Is it covered?

Whether the carrier wins that argument or not, they may try to wear you down.

And you need to understand what coverage you have when it comes to breach response costs. There may be sub-limits and restrictions and those costs may be deducted from the total coverage available.

Will there be coverage if your employee’s home WiFi was compromised years ago, the employee didn’t do anything to secure it or detect the breach and you get hit for a CCPA breach lawsuit for data leaking out that way? Running, potentially, in the millions.

These are all risks that you need to understand and before a breach would be a really good time to do that.

Credit: Law360

Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending May 15, 2020

Pitney Bowes Hit By Ransomware for 2nd Time in 7 Months

Pitney Bowes has verified that it has been hit by a ransomware attack for the second time in 7 months. This time it is the maze ransomware, which steals data before encrypting your systems. Sometimes ransomware hackers leave their hooks in a victim’s system so they can come back later and cause more pain. Again I ask – are you ready? Credit: Computer Weekly

U.S. To Accuse China of Trying To Steal Vaccine Data

The U.S. says – no surprise – that other countries such as China, Vietnam and even South Korea are trying to steal vaccine research, treatments and testing. Other than warning businesses that other countries are trying to steal our stuff, it is not clear what the government can or plans to do. Credit: MSN

Security May Be Victim to Business Downturn

If fairness, all costs have to be justified during a business downturn and security costs are one of those costs.

As companies layoff employees and downsize, security teams are at risk because they don’t tie directly to revenue.

But all you need to do is as a company that had even a small breach and spent, say, $1 million on it, whether saving the salary of that dedicated security team member made sense in hindsight.

The bad news is that the hackers understand this and they will watch for companies that are not paying attention.

Of course, that does not mean that every company is spending every security dollar wisely. Probably not. Credit: WSJ

Ransomware is Getting to be Like Commercial Software with Feature Releases

Something tells me that this is not a good thing, but ransomware software is big business. As a result developers are enhancing their software with new releases. The Sodinokibi (REvil) software has added a new feature that allows it to encrypt files, even if they are open and locked by another process. The ransomware kills the process or processes that are locking the file and then encrypt it, after stealing a copy first. Adding features seems to work for companies like Google and Microsoft…. Credit: Bleeping Computer

FBI Reportedly Asks Apple for Contents of Senator Burr’s iPhone

Senator Burr, is being investigated for selling stocks after he was briefed on the Coronavirus as the chairman of the Senate Intelligence Committee. The FBI asked for his phone, which his attorney gave them. Apparently the FBI was able to get a warrant after they asked Apple for the contents of Burr’s iCloud account. Apple seems to be willing to give the cops your iCloud data, which they can decrypt, if the cops remember to ask in time. It has been reported that in late January and early February, Burr and his wife sold between $600,000 and $1.7 million worth of stock. The market started it’s nosedive around February 20th. Credit: CNet

Facebooktwitterredditlinkedinmailby feather

Privacy, Security and Cyber Risk Mitigation in the Digital Age

Visit Us On FacebookCheck Our Feed