Category Archives: Compliance

Board Members & C-Suite Need Secure Communication Tools

Board members and other executives are the key target of hackers. There is even a term for it – whaling. This has nothing to do with anyone’s personal dimensions, but rather that they are the big fish in the pond and have the most access to data.

Many times, executives and board members are also not technical so they don’t use sophisticated tools. Hackers know this too.

Boards are directly linked to their organization’s risk management – cyber, third party, supply chain and have other sensitive responsibilities like ESG, compliance, diversity and other subjects.

Non-profits have the additional responsibility of donor and fundraising information and they depend on the goodwill of those folks.

Non-profits also, often, have less security resources to protect themselves with.

So what do boards need to do to protect their companies?

  • Make sure that all sensitive communications between board members and between the board and management – which it probably almost all communications except for the lunch order – are encrypted.
  • Make sure that communications are integrated – chat, messaging, collaboration, store. Easy to use, secure, encrypted.
  • Make sure the solution does not require a year’s worth of training to use
  • Make sure that the solution can minimize weak links like lost devices
  • Include the board and executive family members and home networks – they are often used and outside of the control of IT. Hackers know this and call it the soft underbelly.

If you don’t have a strategy for this, we can help you. It needs to be comprehensive, secure and, most importantly, easy to use. It also needs to be flexible enough to handle the unexpected. Also consider the board and executive non-corporate resources.

Call us and we will help you design a solution.

Credit: Help Net Security

HHS Says Preview of HIPAA Changes This Summer

I guess HHS wants to be cool, so rather than having a press conference where people can ask embarrassing questions, they are going to release the proposed changes via a prerecorded video – sometime this summer. These new rules will apply to covered entities (like doctors) and business associates (like IT providers).

Part of what they are going to release is guidance of what regulators are going to consider as recognized security practices when considering fining a health care entity. Possibly this will give entities a little more clarity on what the “floor” for cybersecurity might be.

An update to the HITECH law requires the government to review whether a entity or business associate demonstrated recognized security practices during the prior 12 months. The review could happen after a breach or during a compliance audit.

HHS says that this video will cover how entities will need to prove what recognized security practices they are following, information on what HHS means by these particular practices and the feedback they got when they asked for comment on those practices.

They said this video process will allow them to respond more quickly than using the rulemaking process, but unless last year’s legislation allows them to bypass the rulemaking process, I don’t see how this will speed things up.

While an update to HIPAA is a good thing, don’t expect anything to happen super quickly. Credit: Data Breach Today

Preserving Text Messages

CIOs have always had to worry about the challenges of preserving evidence, but now we have a whole new class of challenges.

The so called Duty to Preserve comes into play when one party learns about the possibility of litigation. This happens, many times, before any lawsuit is actually filed. Once a party has reasonable knowledge of potential litigation, they have to make sure that potential evidence is not deleted (note: I am not a lawyer, so this may not, exactly, be technically correct, but it is close).

So lets assume that you are the CIO of a company. It is relatively easy to preserve emails – there are many solutions for what is called a litigation hold.

It is much harder to deal with employees’ personally owned computing devices, which includes phones.

Most companies, unless they are in a particular industry like financial services, don’t have a requirement to preserve anything absent pending litigation. Once you think there could be pending litigation, things change.

Think about these things –

  • Facebook Messenger UNSEND
  • iMessage TAP BACK
  • iMessage (and many other platforms) automatic delete function
  • Signal and Telegram’s delete functions

In Fast v. GoDaddy, Fast used the unsend feature to stop disclosure of 109 messages. The court was not happy with this and sanctioned them. The court even fined them $10,000. Eventually, they did cough up 108 of the messages, but the last one never appeared.

The court concluded that the failure to produce this message warranted the court’s issuance of an adverse inference instruction at trial. Basically, this means that the judge will tell the jury that because of the failure to produce this evidence, you can assume the contents were not favorable, or worse (again, I am not trying to be a lawyer here, but you get the idea).

The iMessage tapback feature allows an iPhone user to send back an emoticon in response. But if the recipient is an Android user, they get a copy of the message again. Which if you intended to delete the message, is not what you want. At a minimum, it could signal the existence of a deleted message. Again, the judge issued an adverse inference instruction because messages were selectively deleted, but because of the tap backs, forensics could see that messages had been deleted.

If you use a messaging platform that either can or does automatically delete old messages and you have a duty to preserve, the courts can, again, issue sanctions.

That included ephemeral messages that go away after a few seconds.

So now the IT department has to manage preserving evidence on user owned devices. Doesn’t that sound like fun. Credit: Prof. Eric Goldman’s blog, guest post by Philip Favro

NIST Releases New Supply Chain Risk Guide

Here is another short read for you (sorry).

For those who read this blog on a regular basis, you know that we talk about supply chain risk a lot. Formally, the government calls it Cybersecurity Supply Chain Risk Management or C-SCRM.

Supply chain attacks are very popular because if you pull one off (think SolarWinds), you can infect millions of machines. SolarWinds was just one very visible one, but it seems like there is at least one every week, to varying degrees of severity.

This is another product to come out of NIST as a result of the Executive Order on Improving the Nation’s Cybersecurity (EO 14028).

At a short 300 plus pages, you are not going to consume this all at once, but starting now is a good idea. The problem is not going away any time soon.

One thing they have done is integrated C-SCRM into a broader enterprise-wide risk management conversation. Risk management includes cyber risk, but that is far from where it ends.

They also have a section on critical success factors. Definitely worth a read.

Finally, it has 10 appendices of nuts and bolts, including S-SCRM security controls, a framework, templates and resources.

You can find the document at NIST’s website, here.

If you want to have an in-depth conversation on C-SCRM, please let us know.

OCC Enters Consent Order Against ‘Digital Bank’

The Office of the Comptroller of the Currency or OCC regulates federally chartered banks. Digital banks, AKA crypto vunder-kids, would like to get a bank charter for a number of reasons.

One reason is that they want access to the international banking network. Another is to show that they are all grown up.

But if you want to play with the big kids, you need to act like a big kid and in the cryptocurrency scam/racket (sorry, end of editorial), that is hard.

Enter Anchorage Digital Bank. Based in South Dakota, this was a conversion of Anchorage Trust Company. In January 2021, the OCC issued conditional approval of the conversion. As part of that, the OCC approved their operating agreement.

My guess is that this was a ‘canary in the coal mine’ and this month, the canary died.

The OCC entered a 25 page consent decree against the bank, which they did not dispute. The OCC is explaining, loud and clear, if you want to be part of the banking system, the rules that apply to every other bank, apply to you.

Okay, so what did they do wrong?

Remember that the main purpose of cryptocurrency is to hide stuff. Also to speculate, but mostly to keep the government out of their customer’s business. Even the Swiss discovered that there are limits to that and they, over the last 10 years, have begun to play nicer with the feds.

Note: to get a better picture of how hard it is for the government to stop hackers from using cryptocurrency to evade law enforcement, read this article from the Washington Post that describes North Korea’s efforts to wash the $600 million in crypto they stole last month. So far, they have washed about $100 million of it. If Anchorage Digital wants to play with the big kids, this is what they have to wrap their arms around.

Without repeating the entire consent decree, there are two major areas, not surprising, that the OCC is upset with. One is the Bank Secrecy Act, which requires banks to report suspicious activity. Aren’t most cryptocurrency transactions suspicious? That is hard to do. Second is anti-money-laundering. This requires banks to actually know who is conducting business. Like IDs and Corporate Resolutions. All that stuff that actual banks have done for years. Together these are known as BSA/AML.

Among the actions they have to complete are creating a compliance committee of outside directors within 15 days. That is no small task, given their business model. Who wants that liability? Those members have to be approved by the OCC. Then they need to create a plan of action with milestones and get that approved by the OCC. Finally, the committee has to report to both the board and directly to the OCC periodically (like quarterly) on their progress.

The consent degree is a bit geeky but easy to read and if you want to know the future of crypto currency banks and exchanges, this is kind of a road map. If you don’t follow this roadmap, the feds are pretty likely to shut you down. Maybe even throw a few people in jail as a signal to the others.

I found it a great read.

Credit: OCC

EU vs. Musk – I Need Some Popcorn

It **appears** that Elon Musk is going to take Twitter private. We have no clue what the result of that will be, but it might mean a more wild, wild west version of Twitter. He says that he wants less content moderation, for example.

This weekend the EU appears to have agreed to the framework of the Digital Services Act (DSA), which plans to put unprecedented restrictions on online content.

It seems like these two goals are at odds.

Of course, Musk could choose to pull out of Europe, but revenue-wise, that doesn’t seem wise and it will certainly open up an opportunity for others to fill the void.

The DSA will prohibit targeting consumers based on gender, ethnicity or sexual preference.

It will also ban dark patterns, a topic for an entire blog post.

These might not bother Elon much.

However, it also requires platforms to incorporate an emergency mechanism to disclose the steps they are taking to censor disinformation. He might not like that.

Fines max out at 6 percent of global revenue for a first offense (about $200 million for Twitter, PER OFFENSE) and more for repeated offenses.

It also provides a mechanism for users to sue platforms in court and new protections for minors. It also provides more enforcement by the European Commission for large platforms like Twitter.

Here is a table of specific requirements by category and size of provider.

Musk has a tradition of ignoring regulations, but that has not always worked out well for him. I don’t think the EU will take kindly to that strategy.

Still, this is definitely time for popcorn.

Other countries are looking at similar restrictions and this could be a framework for them.

Credit: Computing and The EU Commission