Category Archives: Compliance

Be Careful What Contracts You Sign

While the details of this are interesting, what is more important is thinking about all of the contracts that you sign.

This is a legal battle that goes back several years.

In one corner is Fiserv, the Fortune 200 +/- financial services software behemouth.

In the other corner is Bessemer System Federal Credit Union, a small community credit union in Pennsylvania.

In 2018 Brian Krebs reported bugs in Fiserv’s platform that allowed one customer to see another customer’s name, address, bank account number and phone number.

So Bessemer FCU did some more testing and found more bugs – security holes.

According to the credit union, Fiserv responded with an aggressive notice of claims, attempting to silence Bessemer if they discussed these security bugs with third parties, including other Fiserv customers.

In the end Bessemer sued Fiserv and Fiserv counterclaimed.

Fiserv said Bessemer breached its contract, among other things, and wanted attorney fees.

Much of the argument seems to be around the security review, which, if accurate, shows that Fiserv’s software is not secure, something other Fiserv customers might want to know about.

Fiserv says that Bessemer just wants to embarrass Fiserv and get out of paying some bills.

Without spending a lot of time reviewing legal documents, it appears that Bessemer was not happy with Fiserv’s response to being notified about the bugs (like in fixing them, soon) and wants to terminate the contract.

Fiserv, appears to want to silence a critic (boy is that failing) and doesn’t want to let the customer out of its contract.

So what does that mean for you if you sign a contract with a vendor? Here are some thoughts.

  • The vendor is going to want you to sign as long a contract as possible and will usually offer you a price incentive to do so. If this is a new vendor, that is likely not a good deal for you. Shorter might make more sense.
  • You should review the reasons that you can terminate the contract and what that termination will cost you.
  • You should look for any clauses that stop you from talking about the vendor’s product quality. This is different than disclosing secrets. While bugs and security flaws may be secret, they should not be covered by these types of contract restrictions.
  • Vendors should have a fixed amount of time to fix serious bugs or you should be able to terminate your contract.
  • The contract should spell out that the vendor is liable for your losses as a result of security bugs. Software vendors will resist this like the plague, but why should you be responsible for their bad software.

The lawsuit is ongoing. It will be interesting to see how this works out. Given this is now in the news, Fiserv might be smart to try and make it go away. Quietly. A trial could be ugly. On the other hand, Fiserv has a lot more money than Bessemer does.

Stay tuned.

But think about those contracts you signed and how you would fare in a similar situation.

On the other side, if you are a software vendor, how would you handle this situation.

Credit: Security Week

Are You Ready for the Next Supply Chain Attack?

On Friday Title industry software and consulting provider was hit by a ransomware attack. Cloudstar operates 6 data centers and supports over 40,000 customer users. Now those customers are wondering what are they going to do.

Cloudstar users who close real estate sales are dependent on Cloudstar’s systems being up.

Cloudstar has been down since Friday. Their CEO says he doesn’t know when the systems will be back operational.

Cloudstar’s customers are scrambling today to be able to close loans.

In the meantime Cloudstar has brought in third party experts to help them.

While it is possible that Cloudstar was specifically targeted as suggested in a Housing Wire article, no one knows if that is true or not. It is certainly possible that there were just another random victim after an employee clicked on a malicious link.

This particular software is core to the title business so it is not like a title company can do a Google search and replace it. Cloudstar’s competing service providers are circling like vultures, offering free setup and who knows what else, but the problem is that the companies that use Cloudstar’s services do not have access to the forms and client data that lives on Cloudstar’s platform, which is now encrypted. Credit: ALTA

Title companies who are affected by this attack likely must report this to their regulator as the assumption by the federal government is that ransomware equals data compromise. They also likely have to tell customers that their loan or other data may have been compromised.

Some of Cloudstar’s customers may go out of business, depending on how long Cloudstar is down. It could anywhere from a few days to a month. Or more.

In helping our clients respond to Fannie Mae audits (MORA), Fannie seems to be much more interested in regulated entitys’ ability to respond to a ransomware attack and continue to support their customers. This is yet another concern that companies need to be concerned about.

But take a step back from from the specifics of this supply chain attack. You likely have vendors that are critical to your business and which are also a single point of failure that cannot be easily or quickly replaced. Given the number of ransomware and other cyber breach attacks against service providers, companies need to prepare themselves for the possibility that they will be in the same boat as the customers of Cloudstar are today. The alternative is that you lose access to your data, your business comes to a complete standstill, you have to report to regulators and customers that you lost control of your data and potentially, face significant expenses.

Are you ready?

Additional info credit: The Title Report

Is Your Company Ready for the Wave of Privacy Laws Here and to Come?

First it was California (version 1 and version 2); then it was Virginia. Now it is Colorado. IT IS NOT GOING TO STOP THERE.

California’s CCPA covered human resources data somewhat. CPRA covers it completely and will require HR departments to create programs to protect HR data.

This includes notices at the time data is collected, new data privacy practices, new rules for third parties that the company uses and procedures for when employees exercise their rights.

While Virginia and Colorado were the next two dominoes to fall, there are about two dozen bills in various state houses.

Some of these cover HR data; others do not.

The Colorado and Virginia are more likely to be the model going forward – with, of course, twists and turns. In part, this is because these laws are written more coherently. Of course that doesn’t mean that some states won’t model their laws after the California.

Unlike California, the Colorado and Virginia laws do not allow for a private right of action – a key contention in getting an agreement for a national privacy law. The Colorado law does allow local district attorneys to go after violators.

All of these laws have three different sets of responsibilities –

  1. Data controllers – the company or person responsible for the data
  2. Data processors – an organization that acts as an agent for the controller and in some way processes the data
  3. The individuals – who have new data rights

Even if the law in a particular state does not affect employee data, HR is likely going to need to be involved anyway. New policies and programs will affect employees in many ways and HR will need to help companies navigate the new path.

and, of course, companies are going to need to figure out where their customers and visitors are located because the laws effect is based on their location, not yours.

In addition, companies will need to engage legal talent, whether internal or external.

January 1, 2023 is really not that far away.

For more details, see this article at JD Supra

Vaccine Passports

Talk about a political football, oh my.

Florida has passed a law outlawing them. Not sure that Florida is a bastion of privacy – just wants to stick it to certain folks.

But, if some other state or other company requires it, the law is meaningless. Lets say, just making something up, that New York requires a vaccine passport to enter. Joe gets on a plane in Florida and when he arrives in New York, they say “Passport please”. Joe doesn’t have one and complains that Florida law makes that illegal. Joe now gets to get back on the plane and return to Florida. Foreign countries are unlikely to be moved by such a law in Florida.

But some lawyers are saying that even in Florida, such a law may be unenforceable – kind of an illegal law. I guess we have to wait for the courts to decide that one.

But one company has decided to capitalize on this.

CLEAR, the company that runs the fast lane at airports for folks that pay hundreds of dollars a year to go to the front of the line, has created a vaccine passport app. I don’t *think* there is a cost to the user for this one. That probably would not be popular. Businesses, on the other hand, are likely fair game.

Currently 60 stadiums and venues are deploying the CLEAR app, including the New York Mets and the San Francisco Giants. You can use paper proof, but the motivation is that CLEAR is faster.

It seems likely that CLEAR will store your data, probably including every time you use the app.

Privacy advocates are rightfully concerned about this.

United Airlines is already using the app in their LA to Hawaii flights since Hawaii has requirements for vaccines and/or negative tests.

Excelsior pass is New York’s version of CLEAR. Built by IBM and only for New York residents, it is another competitor in what is going to be a crowded field.

Several European countries have built apps for access to transportation, gyms and even restaurants.

To use the CLEAR app, you take a picture of your drivers license and upload it with a selfie. They then connect to hundreds of labs to look for results. Not sure what happens if your name is not in one of those databases.

I am sure that these apps are unhackable. That is certainly a valid concern, depending on how much data they keep.

This battle is far from over. It is not clear how it is going to turn out. On the other hand, you might be right, but still get your butt shoved back in an airplane seat to go home — at your cost — instead of starting your vacation, so you do have to consider whether that is a battle that you are willing to fight.

Also remember that getting in the face of airline personnel, border agents and police can get you thrown into jail, particularly in some foreign countries, but even in the U.S. This week an airline passenger on a Miami to New York flight had to be zip-tied by an off-duty copy after she assaulted a flight crew member. The passenger said that the cops weren’t going to do anything, just before they zip-tied her into her seat. She was arrested when the plane landed in New York and is being charged with several felonies. Credit: Yahoo

Credit: Cybernews and MSNBC

Government is No Better at Managing Supply Chain Risk Than we Are

The GAO, formerly known as the General Accounting Office, works for Congress and does studies of how horribly inefficient the government is. In theory, that is so Congress can create new laws to make them do what any sensible organization would do without the laws. Here is one example.

The GAO reviewed the security practice of 23 government agencies with regard to information and communications technology products (what you and I call networks and computers). They identified 7 practices for managing these risks and then they graded the agencies on how they were doing. What they found was:

  • Few implemented the practices
  • None had FULLY implemented the practices
  • 14 had implemented NONE of the practices

Feel better? The only downside is the government gets hacked too – as we have seen very publicly lately.

Here are some of the highlights from the report.

Here is where these agencies get their stuff from. This is not where the sales office is, but rather where the stuff is made.

Figure 1: Examples of Locations of Manufacturers or Suppliers of Information and Communications Technology Products and Services

The one practice that was implemented by the most agencies – that only included 6 of 23 agencies. OUCH!

So then they tallied up the results. Here is what they found:

\\vdifs02\FR_Data\WatsonA\Desktop\Bar.tiff

Notice all the white? That is the part where the agencies are not implementing any part of the practice to reduce their risk. The vast majority of the agencies are asleep at the switch.

The most common excuse given was “no one told me how to do this” or something close to that. So, a billion dollar agency, apparently, needs to be treated likely a toddler and told how to do its job. Lets ignore for the moment that NIST issued guidance in 2015 and the OMB told all agencies to implement supply chain risk management (SCRM) in 2016. But no one held their hand. Or, until now, swatted their behind.

Most agencies, when called on the carpet by the GAO said, oh, my bad, I will fix that (yeah, maybe). A few said bug off. Those are the ones who should not be allowed to use computers or networks.

Here are the 7 areas that the GAO asked about. See how many of these you are doing company wide.

  1. establishing executive oversight of ICT activities, including designating responsibility for leading agency-wide SCRM activities;

2. developing an agency-wide ICT SCRM strategy for providing the organizational context in which risk-based decisions will be made;

3. establishing an approach to identify and document agency ICT supply chain(s);

4. establishing a process to conduct agency-wide assessments of ICT supply chain risks that identify, aggregate, and prioritize ICT supply chain risks that are present across the organization;

5. establishing a process to conduct a SCRM review of a potential supplier that may include reviews of the processes used by suppliers to design, develop, test, implement, verify, deliver, and support ICT products and services;

6. developing organizational ICT SCRM requirements for suppliers to ensure that suppliers are adequately addressing risks associated with ICT products and services; and

7. developing organizational procedures to detect counterfeit and compromised ICT products prior to their deployment.

Credit: the Government Accountability Office

Security News for the Week Ending April 23, 2021

USTRANSCOM Starts CMMC Lite Now

The DoD’s transportation command, the folks who are in charge of getting all the stuff that the military needs from where it is to where it needs to be, has announced that they are implementing a light version of CMMC NOW instead of waiting for the five years that it is going to take DoD to fully roll CMMC out. The plan for TRANSCOM is to be able to confirm or deny cyber compliance, they say. This is even though the DoD delayed its report to Congress on vendors’ compliance with CMMC. It was due in March but now won’t be ready until June. TRANSCOM’s plans come at the same time that some are complaining that security is too hard and too expensive – even though they have been certifying for three years that they were fully compliant with the standard. Now that someone is actually saying “prove it”, they are saying it is hard. The move to actually protect own nation’s service members and information from our adversaries will not be easy, as we learned when the SolarWinds attack was revealed, but that doesn’t mean that we should not do that. Credit: Federal Computer Week

FCC Allocation of New Bandwidth for WiFi – A Duel to the End

Last year, as WiFi usage skyrocketed, the FCC allocated 1200 MHz of bandwidth in the 6 GHz range for unlicensed WiFi. But the problem is that someone’s ox will always get gored since there is no “unallocated” bandwidth. While this is great news for WiFi 6, the new WiFi standard (and WiFi 6E in particular), the people who currently use that bit of spectrum (like some carriers and first responders), are not thrilled. Last October, the DC Circuit Court of Appeals denied a request for an emergency stay, even though the court said that they would hear the arguments later. Last month the arguments started in court, saying that this FCC order would interfere with them. Now oral arguments begin. No one knows how this will end, but the fight is just starting. If, however, the courts refuse to issue a stay, it is going to be a moot point.

After Google gets you Hooked, they Are Changing the Rules

For Google Photos, effective June 1, 2021 and for Google Drive, effective February 1, 2022, All that free unlimited storage is gone. NEW files uploaded to your account after the effective dates will count to your storage quota, whatever that quota is. To ease the sticker shock, existing files will be grandfathered in. You can see what your storage usage is, here.

Google and Microsoft are Fighting – Can You Imagine That?

Google is trying to figure out how to track people to sell advertising as state privacy laws make that more difficult. Their newest invention is something named Federated Learning of Cohorts. It has been widely criticized by privacy folks. In short, it puts users in anonymous (supposedly) buckets by behavior and tries to show you ads based on what FLoC you are in. It is turned on in Chrome 90 and I don’t see a way to turn it off. Microsoft did not include it in their new build of Edge. Take that Google! Credit: Bleeping Computer

EU Creates AI Rulebook

The European Commission released a draft version of a new regulation on the use of AI – the first time a regulator has proposed to do this. The EU says this rule is to create transparency in the use of AI and ban “systems considered a clear threat to the safety, livelihoods and rights of people”. Whatever that means. It also is proposing stricter rules on the use of biometrics such as facial recognition. Here is the draft rule.