Category Archives: Legal

Colorado Governor Signs New Cyber Security Bill Into Law

Effective September 1, 2018, *ALL* companies doing business in Colorado will have just 30 days to notify residents if their data was breached.  That is just one of the new rules.

The rules apply to both government entities and businesses, which is a bit of a surprise.  Different laws, but basically the same requirements.

What will businesses need to do?

  • Have a written policy for the destruction or proper disposal of paper and electronic documents containing personal information.
  • Implement and maintain reasonable security procedures and practices that are appropriate to the nature and size of the business.  While this gives you a lot of wiggle room, you may need to justify to a judge or the attorney general why you called your practices reasonable.
  • If you use any third party services (which is pretty much everybody), you must require that third party to implement and maintain reasonable security practices and procedures unless you choose to be liable for their practices instead (which is not a great idea).
  • In case of a breach, notify residents providing specific information about the breach.  If the business does not have sufficient information to contact residents directly or if the cost of contacting residents will exceed $250,000 (or a couple of other reasons), an alternate notification process will kick in, which includes a prominent notice on the company’s web site and notification via state-wide media.
  • If the breach affects more than 500 people, the business must notify the attorney general and if it affects more than 1,000 people, the business must also notify the credit reporting agencies.  Consumers cannot waive these rights in a contract or other agreement.
  • If encrypted data is breached, notification is not required if the encryption mechanism is not compromised.  This means that if a powered off laptop which is encrypted is stolen, then notification is likely not required, but otherwise, it probably is required.
  •  Criminal charges may be brought against a business under certain circumstances.

This law leaves a lot of leeway for the Attorney General to interpret things and the current AG was very active in shaping this bill, so I would not count on him being lax when it comes to prosecution.

Facebooktwitterredditlinkedinmailby feather

Amazon Sells Face Recognition Tech To Cops

Amazon is selling facial recognition technology that it has developed – called Rekognition – to law enforcement agencies and maybe others – Amazon won’t say.

While there is nothing illegal about this and if Amazon doesn’t do it, others likely would, it certainly raises privacy concerns.

Two police departments that are known to have purchased the software are using it in different ways.

The Washington County, Oregon Sheriff is using it to match suspects to people in their database.  They use it, they say, about 20 times a day.  It cost the department $400 to upload 305,000 mugshots and it costs them $6 a month to use the service.  These numbers have to be very attractive to law enforcement.

The Orlando, FL police department, however, is using it very differently.  Orlando has a series of surveillance cameras throughout the city to watch people who are out in public.  They call them public safety cameras since that likely sounds better than the 1984-esque alternative.  Using these cameras and Amazon’s facial recognition system, the city can look at the images to find “persons of interest”.  Of course, most of us won’t complain if the city we live in is safer, but it also means that likely your every move in Orlando (and maybe other cities, we do not know) could be being monitored and potentially recorded.

Some people say that if you are not doing anything wrong you shouldn’t object to being surveilled.

As we recently discovered, all of the major cell phone companies sell your location data to anyone who’s check will clear.  Is there any reason that cash-strapped cities won’t do the same?  Maybe with the pictures showing what you were doing and with whom?  Don’t know.  There are no clear universal laws covering this other than you do not have an expectation of privacy when you are outside.

So, what can or should you do?

Unfortunately, in this case, there is not a lot that you can do.

Be aware, for one, that your actions are not private, may be recorded, and you may be identified and your actions cataloged.  This is somewhat like what automated license plate readers do in some cities, only a little more intrusive.

Write to your politicians if you think that there should be limits on the surveillance that your government should be doing, absent probable cause.  It may or may not make a difference, but certainly if people do not complain, the politicians will assume you don’t care.

Finally, let your friends know what is happening.  An informed citizenry is critical to a democracy.

So stay tuned.  I suspect that Jeff Bezos won’t change his mind and stop selling this technology because even if he does, someone else will likely step in to replace him (maybe Facebook).  This story will take a while to play out.

Information for this post came from The LA Times.

Facebooktwitterredditlinkedinmailby feather

EU’s GDPR May Cause Challenges For Businesses

According to a survey conducted by storage software vendor Veritas,  2 in 5 or 40% of what the EU calls “data subjects” (and what the rest of us call people) plan to request businesses to tell them what data they have  within the first six months after the GDPR goes into effect later this month.

Even if the 40% turns out to be 10%, that is going to be an amazing hardship for businesses.

Under GDPR, businesses have about 30 days to provide that information.  They need to figure out which John Smith is requesting the data, on what systems (local, in the cloud and with vendors) they have that person’s data, collect and format that data in a manner that is consistent with the GDPR requirements and deliver it.  All within less than 30 days.

Which companies have to deal with GDPR?

In general, companies that collect data on EU people – customers or just people who visit their website.

Different companies face different risks.  The companies at the highest risk are those located in Europe.  Those are followed by ones that have operations (business units) in Europe.  At the lowest risk are companies based in the U.S. who may interact with a few EU data subjects.

Other responses from the survey include:

  • 56% plan to approach financial firms with data privacy requests
  • 48% plan to approach social media firms
  • 46% plan to approach retailers
  • 24% plan to approach employers and
  • 21% plan to approach healthcare providers
  • 65% of those who plan to contact these businesses will ask for access to the data those companies have
  • 71% of those who contact businesses will ask them to delete the data

Information for this post came from Computing.co.uk .

Based on that, what should you do?

First, if you live in the US, this doesn’t apply to you unless a company chooses to voluntarily do that.

BUT, if you are a business and you have customers in the EU or have a division in the EU and you have not already started working complying with the rules, you likely will not be able to comply by the May 25th deadline.

What we don’t know is what the EU regulators plan to do.

Given there are tens of millions (or more) of businesses, the odds of any one business getting zapped are low.

UNLESS someone or more than one complains about you to the regulator.

And we don’t know how many resources each regulator plans to allocate to this process.

It will certainly be interesting to watch.  Unless you are the one that the regulator picks on.

 

Facebooktwitterredditlinkedinmailby feather

President Signs SESTA/FOSTA; Web Sites Start Shutting Down Services

SESTA/FOSTA was a bill that was supposedly designed to shut down sex trafficking sites on the Internet by effectively repealing the protections provided by Section 230 of the Communications Decency Act which protects online service providers like Facebook and Google from being prosecuted for the postings of their users.

The bills, which have been around in different forms for a couple of years, was snuck into the budget bill in the dark of night.  There was no debate, no committee hearing and no markup of the bill.  Likely, knowing DC, it was a Quid Pro Quo to get someone to vote for the budget bill.

Section 230 of the Communications Decency Act protects online service providers from being held accountable for what their customers post.  While the “claim” is that this bill is designed to punish web sites that post prostitution ads, it is so poorly written that it could be used as a club against any web site that a federal prosecutor chooses to.  The main target of the bill was Backpage, which did post, in my opinion, prostitution ads, but that site was shut down and the people responsible for it arrested days before the President signed this bill, so, apparently, the feds did not need this law to shut down what was proclaimed to be the target of the bill.

Fringe dating sites, sex trade advertising sites, parts of Craigslist and other sites have already shut down.  Google has started wielding a meat axe on their site to ensure they are not charged.  All this before the law likely is implemented, some time next year (Source: Motherboard Vice).

Given this, what should you do?

First, this really only affects you if you run a website and you allow users to post content on that site.

For the moment, lets assume that you do run a website that allows users to post content such as comments or reviews.  Up until now, the rule was that if you did not impose editorial control over that content, then you were not liable for it.

Now, apparently, you are.

This means that you need to do one of two things:

1. Shut down the part of the web site that allows users to post content.  If this destroys your business model, tough.  Write a letter to Congress.  What Congress giveth, Congress can taketh away.

2.  If that is not an attractive option, then you have to create a process to review every post to make sure that it cannot be misconstrued by some over eager federal prosecutor to charge you.

Remember, you do not have to be guilty to be charged and proving yourself innocent can be very expensive.

I am not sure if cyber insurance will start covering this.  Prior to the effective repeal of Section 230, they did.  Now, it is not clear at all.

Fundamentally, you have to exercise full editorial control over the content.

Don’t be surprised if people start figuring out which sites do not monitor posts and start using those sites as a replacement for the ones that shut down.

As we get closer to 2019, there could be some clarity and, possibly although unlikely, Congress could amend the legislation.

In the meantime, stay tuned and start setting up those processes.

 

 

Facebooktwitterredditlinkedinmailby feather

Can The Ruskies REALLY Hack Our Elections?

With all the news lately about the Russians trying to change the outcome of the elections (like, I might add, the U.S. has been trying to do around the world for decades – think of the Shah in Iran, the Congo elections, Chile and many others – see here), the real question is can the election really be hacked.

The Pew Charitable Trust published a great piece on the subject which should make you think about the subject.

Here are my thoughts on the subject.  Feel free to comment.

#1 – As a concept, there is no “single point of failure” in the American election system.  That is both its strength and its weakness.  According to Pew, there are 10,000 election entities, mostly (by sheer numbers) counties and cities.  These organizations are, at best, loosely affiliated with each other.  The Clerk in Wichita, KS likely doesn’t even know the Clerk in Fort Smith, Arkansas, except maybe by chance and, for sure the systems used by the two cities are not, in any way, connected.

#2 – Your local voting machine is NOT connected to the Internet.  In fact it is not connected to much of anything.  It is likely loaded with it’s ballot by a flash drive, created at the Clerk’s office.  At the end of the election day, the results are read out on each machine and probably called into each individual election office, manually.  The machines are then locked up and driven to a warehouse, where they are stored, more or less securely until the next election.  Could you compromise that flash drive at creation time?  Likely.  Probably without a huge amount of effort.  But even if you do, that would only be used within a single election PRECINCT.  Not exactly an easy way to change the outcome of a Presidential election.

#3 – While we are on the subject of Presidential elections, the easiest way to change the outcome of that election is by way of fake news, promoted by influencers.  Not the fake news that the current office holder talks about, but rather real fake news.  The average voter assumes, for the most part,that whatever they read, if it supports what they believe, is likely true – it just reinforces their existing beliefs, without regard to whether those beliefs are correct. Or not. That is certainly what Russia did in 2016.  Those efforts can effect a change in the election results.

#4 – it doesn’t require flipping very many votes to change the outcome of a single election.  In this week’s PA-18 House election, the difference between winning and losing was around 627 votes.  Out of 250,000 or so votes.  So, if, via fake news, you can flip the minds of less than a thousand voters, you have just changed the outcome of an election.  That is probably a  lot easier and a lot cheaper than trying to hack voting machines.

“That keeps me awake at night,” said Nancy Blankenship, the clerk for Deschutes County, Oregon.

That quote gives me some hope regarding fending off the bad guys.

On the other hand, this quote worries me.  This clerk either is so clueless about technology that she should not have the job or is sticking her head in the sand.  In either case, it is a problem.

Sara May-Silfee, the director of elections for Monroe County, a community of 170,000 in eastern Pennsylvania, said she knows her county is secure, even if her state was one of 21 states targeted by Russian hackers in 2016.

“I can’t even begin to tell you how they’d hack us,” she said. “Nothing is hooked up to anything. How could anybody hack us? I’m not worried about anything. Sometimes it seems like a lot of hullabaloo.”

I wonder how she KNOWS her county is secure?  Perhaps the same way Target knew?  Or Home Depot knew?  Part of the problem is that County clerks are political animals.  Usually elected.  Highly unlikely from a technical background.

I saw an article earlier today that the Air Force was lamenting that they could not find good cyber security folks.  After all, they pay $37,000 a year plus allowances and benefits.  Someone who is competent could likely make 50% to 100% more in the private sector and not have to worry about having to listen to the whims of politicians who have no idea about tech, even though they feel the need to flap their gums about the subject.

#5 – in many locations, the vast majority (if not all) of the ballots are done via mail.  ON PAPER.  The old fashioned way.  Could you steal the ballots out of the mail?  Maybe?  But if you do, are you helping the candidate you favor?  Or hurting that candidate?  Could you hack that voting process?  Unlikely.

#6 -Could you compromise the central ballot counting process in any given city or county?  Maybe, but likely not easily.

#7 – Hackers could break into central state voter databases and add names, delete names or make changes.  This is one of the things that the Russians were reported to have been trying to do during the 2016 elections.  Is this possible?  Apparently, at least to a degree.  What backups, cross checks and security  measures any given voter database has, is, of course, unknown.  Reports have it that the Russians were successful at doing this, at least to some extent, in several states.

#8 – Many electronic voting machines still do not have a paper confirmation printout.  What this means is that there is NO way for the voter to know what the voting machine actually registered and no way for voting officials to verify the vote count.  THIS IS A BIG PROBLEM.  Without some independent means to verify the vote count, it is all a big guess.

At the hacking conference Defcon, there has been a contest for the last few years for hacking voting machines.  Every year, every single machine gets hacked.  Sometimes in just a few minutes.  In fact, it has been so embarrassing to voting machine manufacturers that they have resorted to threatening people who sell voting machines on the used market.  If the organizers of Defcon can’t get machines, they can’t embarrass the voting machine manufacturers.  If I was a manufacturer, I wouldn’t count Defcon’s organizers out yet.

Suffice it to say, this system is far from perfect.  However, hacking the tech is not only hard but will also have limited effect.  There is no central place to attack; no website to compromise.  Still, that doesn’t mean you can’t do anything.  Think back to PA-18 this week.  Only 600+ votes separated the winner from the loser.

Information for this post came from The Pew Charitable Trust.

Facebooktwitterredditlinkedinmailby feather

What If Security Products Offered Warranties?

Most of the time software license agreements say “we are not responsible for anything that might happen”.  In fact, most license agreements say that it is up to the user to figure out if the software is even appropriate for whatever the user plans to use it for.

So what would happen if a software vendor offered, say, a ONE MILLION DOLLAR warranty?

Well, you no longer have to wonder.

SentinelOne (https://www.sentinelone.com/ ), maker of endpoint protection software (the next generation of anti virus software), has started offering a million dollar warranty if their customer’s computers are infected by ransomware while their software is active.

They are that confident of their product.  They use AI and machine learning to stop attacks.

SentinelOne decided that they needed a differentiator.  Providing a warranty would be an impressive difference in a very crowded software segment with 60 competitors.

However, last year there were four vendors offering a warranty;  this year there are 18, so that difference is losing a little bit of its punch.  SentinelOne is likely responsible for that.

If this trend continues, this could be a great event for users.

Getting SentinelOne’s management to agree to offering a warranty was a bit of a challenge, but Jeremiah Grossman , the guy who did the convincing, had things figured out.

First you have to model your losses, understanding what the likelihood is of the product failing.

Then you have buy reinsurance against catastrophic losses.  The reinsurance, he said, cost them less than $25,000 a year.  A pretty cheap marketing cost.

SentinelOne said they had no losses in the last year.  That, by itself, is pretty impressive.

While $1 million is a lot of money, the average cost to recover from a midsize breach is between $3 million and $7 million, so that $1 million, while it should be a good sales tool, is not the end game.

Enter warranty V2.  Details still being worked out.

Still, if this is a trend, maybe there is an end to the insanity of software licenses – caveat emptor, buyer beware.

That, if it happens, would be a wonderful change.  I have my fingers, and toes, crossed.

Information for this post came from SearchSecurity at TechTarget.

 

Facebooktwitterredditlinkedinmailby feather