Category Archives: Legal

The Times They Are A Changing, Part 2

Last week I wrote about 4 different cases where courts are moving in the direction of making it easier for plaintiffs to sue companies in case of a breach.

Now we have another situation.  In the past, judges have approved settlements that only made the lawyers rich.  The plaintiffs sometimes got, literally, nothing.  That is beginning to change.

Judge Lucy Koh (she has some impressive credentials – undergraduate and law degree from Harvard, first ever female Korean American Article III judge in the US, oversaw the Apple-Samsung case,  Apple and Google lawsuits) decided that the did not like the proposed Yahoo settlement.

The settlement called for $50 million split among 200 million people (or about 25 cents a person), zero for the remaining 800 million people plus two years of credit monitoring.  Remember this breach started in 2013, so two years of credit monitoring starting some time in 2019 …..

She also said that the $35 million in legal fees (taking the payout to the 200 million people down to $15 million or seven and a half cents a person) may be unreasonably high because the legal theories in the case were not particularly novel (SLAP! Meaning that the lawyers didn’t really have to work that hard).

That could, possibly, mean that judges are becoming educated and are hearing that people are trying not to spend their seven cent payout all in one place, meaning bigger settlements are going to be required in order to get judicial approval.

Meanwhile for Yahoo, it is back to the drawing board.

For businesses, that probably means that it would be a good idea to increase your cyber-risk insurance.

Details for this post came from Reuters.

 

 

Facebooktwitterredditlinkedinmailby feather

Are You Prepared to Handle the Digital Assets of Your Loved Ones After They Are Gone?

No one has made it out of this life alive.  That I am aware of.

Sometimes, while it is not comfortable, we know when a loved one is about to pass and sometimes we are able to prepare for it.

In other cases, you don’t know  it is going to happen and are completely unprepared.

In my case, I have some personal experience with this.  My brother was hit and killed by a car driven by a mass murderer fleeing from the police and I had to deal with this lack of preparation in spades.  My brother was a young guy (62) and he had not prepared for his untimely demise.

Assuming that you have to deal with this horrible situation of closing out the digital life of a loved one, here is some information.

CREDIT CARDS

Collect all of credit cards that you can find.  Depending on how close the loved one is, you may or may not know what cards exist.  You may have to check the mail for a month or three to see if there are credit card statements.  If there is no balance on the account you may not hear from the credit card company until the card is about to expire.  Once you have the cards, call the bank and cancel them.  You will have to prove who you are, most likely, provide a death certificate and evidence that you are the administrator of the deceased’s estate.  At that point you will be able to find out about balances and close the accounts.

MAIL

Mail can be a challenge. IF you lose access to the mail, you will lose a lot of information.  Did the deceased have a post office box, either at the US Post Office or a private box service?  The Post Office will NOT send you a bill.  They will just cancel the box for non-payment.  Make sure that you keep paying that bill and checking that box.  If the deceased lived in another city you may need to forward the mail.  The Post Office will only do that for a limited time.  If the deceased had a spouse and someone is going to continue at the address, that makes things easier, but if not, you only have, at  most, a year and that is not as long a period of time as you might think.

ONLINE ACCOUNTS

Technically, this may be against the law, but if the deceased had online accounts and you know or guess the password or can successfully do a password reset (if you have access to the deceased’s phone and email), then you can impersonate that person.  More than likely most online providers won’t know or care that the person passed away.  BUT, beware, if they do find out they may lock the account with no advanced warning.  Get in quickly, get what you need and get out.

PAYPAL

Paypal, like most online providers, has a process.  If you can log on then you can withdraw whatever funds are there, payable to the estate.  If you can’t log in, you will have to provide them with documentation – a will, letters testamentary or something similar, etc.  Consider that a significant pain, especially if the estate did not need to be probated otherwise.

FACEBOOK

Facebook has a process where someone can designate a legacy contact in which case you can tell Facebook how to handle the account, but they will not give you the ability to log on. You can only freeze the account or delete it.  I assume you will have to prove the person has passed away.  If there is no legacy designation then you will have to provide paperwork.

INSTAGRAM

Instagram has a process similar to Facebook.

TWITTER

Twitter has a privacy form to report a death.  You have to provide the appropriate paperwork and then you can get the account deleted.

GOOGLE

Like the above, they have a form and a process in order to make sure that you are doing things legally, but you can get data or close the account.

MICROSOFT

Microsoft says that the deceased’s account will be deleted after a year of inactivity.  Of course, that doesn’t give you access to any data.

The best way to handle this is to record your passwords and store them securely.  Some password manager software has an “on death” feature that allows you to gain access to the person’s password vault upon proving the person is deceased and you have been designated as the guardian of the passwords.

Check out the source article below for a few web site links.

PAPERLESS BILLING

I assume that companies will eventually contact you about past due bills if they plan to get paid, but I have seen some circumstances where they want to add late fees and legal fees for past due accounts.  To the degree that you can, figure out what bills might be due and reach out to the companies involved.

THE LAW

Delaware has passed comprehensive legislation forcing online providers to do the right thing.  In some cases, Delaware residents were denied access to spouse’s email due to privacy policies – that will no longer cut it in Delaware.  Check your state for specific laws.

Bottom line, plan if you can, but that is not always possible.  If not, it can be done, but it will definitely take some work.

Planning definitely makes things easier.

Information for this post came from Entrepreneur magazine.

 

Facebooktwitterredditlinkedinmailby feather

Is Internet Provider’s “Zero Rating’ Really a Revenue Enhancer

The fight in the U.S. over net neutrality is far from over with each side claiming they are right.

In the meantime, the E.U. has required net neutrality since 2016 but has allowed individual countries to figure out how to implement it.  Some have implemented it by not doing anything, which gives us an opportunity to compare the effects.

In the U.S., the side against zero-rating (the opposite of net neutrality), which allows a carrier to exempt particular content from data usage fees – typically their own or from a third party that paid the carrier a lot of money – says that it is just a way for carriers to make people use a service that makes them more money, but, apparently, it is worse than that.

Non-profit Epicenter.works studied wireless data prices in 30 European countries and found that the cost of wireless data plans were significantly more expensive in countries that didn’t implement net neutrality and allowed zero-rating.

According to the study, those countries that implemented net neutrality and did not allow zero-rating saw a double digit price decline in wireless data prices over a one year period, while countries that did the opposite saw a price increase.

Again, according to the study, carriers that allowed zero-rating jacked up prices to make their content (the zero-rated content) seem cheaper by comparison.

In the U.S. the fight over net neutrality is in the courts at this point, so we probably won’t know the outcome for years.

What does seem to be the case is that U.S. consumers already pay way more for wireless data than do their European counterparts and that is not likely to improve anytime soon.  Source: Motherboard.

 

 

Facebooktwitterredditlinkedinmailby feather

What is YOUR Level of Paranoia?

A Houston lawyer is suing Apple alleging that Apple’s Facetime bug (still not fixed) that allowed people to eavesdrop even if you do not answer the call, allowed a private deposition to be recorded.

If you are among the geek crowd you probably know that the most paranoid person around, Edward Snowden, required reporters to put their phones in the freezer (not to keep them cold, but rather the metal box of the freezer kept radio waves out) when they were talking to him.

The lawyer is calling the bug a defective product breach and said that Apple failed to provide sufficient warnings and instructions.

I am not intimately familiar with Apple’s software license agreement, but assuming it is like every other one I have seen, it says that they are not responsible for anything and it is completely up to you to decide if the software meets your needs.

That probably conflicts with various defective product laws, but if that strategy had much promise you would think some lawyer would have tried that tactic before.

But the problem with the iPhone and the lawsuit do point out something.

We assume that every user has some level of paranoia.  Everyone’s level varies and may be different for different situations.  We call that your Adjustable Level of Paranoia of ALoP (Thanks James!)

YOU need to consider your ALoP in a particular circumstance. 

You should have a default ALoP.  Depending on who you are, that might be low or high.  You will take different actions based on that.

In this case, if the lawyer was really interested in security, he should not have allowed recorders (also known as phones and laptops) into the room.  He also should have swept for bugs.

That is a trade-off for convenience.  But, that is the way security works.  Low ALoP means high convenience.  High ALoP means lower convenience.  Ask anyone who has worked in the DoD world.   If you work in a classified environment you cannot bring your phone into the building.  They have lockers to store them in if you do.  If you ignore that rule you can lose your clearance or even get prosecuted.

Bottom line is that you need to figure out what your ALoP is for a particular situation and make adjustments accordingly.

Suing Apple will not solve this attorney’s problem.  There will be more software bugs.  I promise this was NOT the last one.

But the lawyer will get his 15 seconds of fame before the suit is settled or dismissed.

Source: ABC 13.

Facebooktwitterredditlinkedinmailby feather

Managing Supply Chain Risk

Supply chain risk is a hot button right now and getting hotter.

It has always been an issue – it was the source of the Target breach, the Home Depot Breach, Panama Papers and thousands of others that you never heard about.  According to a Ponemon study, 56% of organizations admit that they had a breach caused by one of their vendors.

According to that study, the average number of vendors a company is sharing sensitive data with is 471 and only 35 percent of the companies had a list of all of the vendors that they were sharing data with.

The problem doesn’t stop when you terminate a supplier relationship because they do not delete all of your data when you go away.  They keep it.

Add to that the fact that only 18 percent had a handle on fourth party risk – the risk that comes from your third parties using their own third parties.

Regulators are starting to deal with it.  New York is requiring financial service providers to actively manage it and it is not easy.

GDPR also holds companies responsible for what their vendors do with their data, so if you do business in Europe, that is another concern.

Expect regulators to add more third party risk management to their requirements over the next few years.  Colorado just did that.

Supply chain risk not only includes vendors that provide services to your company, but also hardware vendors and software providers.  Each purchased device, each downloaded application needs to be vetted, and monitored for potential security risks, and all patches have to be up to date.

The Magecart malware in the Magento Open Source eCommerce software has allowed hackers to steal millions of credit cards.

Supply chain risk not only puts your client’s data at risk, but also puts your own intellectual property at risk.  When the hackers come, they take everything,

Cloud service providers add their own risks.  Recently researchers were able to compromise at least a half dozen large web hosting providers.

And professional service providers – accountants, lawyers, analytics providers and many others add their own risk to the mix.

So what do you need to do?

Kind of like when alcohol gets out of control, the first step is admitting that you have a problem.

The biggest suppliers are likely not the biggest risk.  They often  have robust security programs, but even when they do, those sometimes fail . Think about Equifax.

We are seeing more CONTRACTS requiring supply chain risk management.  Vendors may be asked to self assess or use third party risk vendors like CyberGRX, Vendorly or others.  And there are vendors that provide security scores such as Bitsight and Security Scorecard.

Companies need to up their game when it comes supply chain risk – because the bad guys have already done that.

Information for post came from CSO Online.

Facebooktwitterredditlinkedinmailby feather

Food Giant Mondelez Sues Its Insurance Company Over “Act of War”

Mondelez is the parent company of Nabisco, Oreo, Ritz and many other brands that are part of Kraft Foods.

Mondelez, like many other companies, was a victim of the NotPetya attack which turned 1,700 servers and 24,000  workstations at Mondelez into very expensive bricks.

Mondelez’ insurance company, Zurich American, denied the claim and hence the lawsuit, asking for  100 million dollars.

White House estimates of worldwide damage from NoyPetya, at the time, were around 10 billion dollars, so Mondelez is claiming one percent of the total worldwide damage, which seems a bit high, but that is not the point.

The Zurich American policy in questions offers this coverage:

“all risks of physical loss or damage” as well as “physical loss or damage to electronic data, programs, or software, including loss or damage caused by the malicious introduction of a machine code or instruction.”

It seems like this attack meets the requirements of this clause.

BUT, what insurance companies giveth, sometimes they taketh.

Zurich reviewed the claim and did what all insurance companies do – tried to figure out a way to reduce what they would have to pay out.

One survey said that companies collectively world wide could potentially claim $80 billion dollars in damages.

Zurich initially offered Mondelez $10 million to settle but then changed their mind.  Why?

Because of another clause in the policy.

There is a clause in their policy (and many others) that has an exclusion for  “hostile or warlike action in time of peace or war” by a “government or sovereign power.”   The key phrase here is BY a government or sovereign power.  Not hackers friendly to one.  Not hackers  mad at the world.  You get the idea.

Security experts and some governments blamed Russia for the attack.

Russia (of course) denied that claim.

So now, it would appear, it is up to Zurich to prove, based on a preponderance of evidence, that this (a) is a hostile or warlike action – a term that is likely not defined in the policy and for which a generally accepted definition has possibly never been adjudicated through the court system through appeals and (b) that it was done by “a government or foreign power”.  I don’t think it is sufficient to say “well the gov says it is”.

Either way this turns out – and we likely won’t know the final result for years – will have an impact on the insurance industry.  Possibly the two sides will agree out of court, leaving the question unanswered for future claims.

Likely the industry will change the terms of policies long before this is settled and large companies will negotiate terms with insurance carriers – which will affect premiums.

This apparently is NOT a common technique to  limit damages according to some sources and was probably precipitated by the size of the check that they might have to write.

Likely much of the data that could be used to prove Zurich’s stance in this case is classified by the U.S. or other governments.  Are those governments going to be willing to declassify that data for the benefit of one side of a civil lawsuit?  Not clear but stay tuned.  Source:  The Register .

Facebooktwitterredditlinkedinmailby feather