Articles Posted in Risk Evaluation and Management

by

In 2017, when blockchain was the new shiny thing, a little-known micro-cap stock, Long Island Iced Tea Corp., changed its name to Long Blockchain Corp. That day, its stock price jumped 200% on the news, but it was still a beverage maker – it simply announced that it was exploring opportunities in blockchain technology. Simply attaching the word “blockchain” to its corporate name was enough to create a frenzy in the stock.

Even though artificial intelligence has been a part of our lexicon for more than seventy years, artificial intelligence remains the latest bright shiny thing. Businesses large and small feel compelled to incorporate artificial intelligence into their company descriptions even with a limited understanding of what artificial intelligence is, or how it could help their business. While incorporating artificial intelligence into a business model may be a good move, jumping on the AI bandwagon can have unintended consequences.

What is Artificial Intelligence

Most of us have an imperfect concept of artificial intelligence: we think that the title is descriptive of the product. However, artificial intelligence is not necessarily what it sounds like. IBM defines artificial intelligence as “technology that enables computers and machines to simulate human learning, comprehension, problem solving, decision making, creativity and autonomy.” But what most people think of as artificial intelligence is generative AI, technology that can create original text, images, video, and other content without human intervention.

Underlying this is a hard fact. Artificial intelligence is highly technical and exceedingly difficult. As an expert in the field, Joseph Greenfield of Maryman and Associates told me, “To understand artificial intelligence, you understand neural networks.” I don’t understand neural networks – do you?

What are the risks of Artificial Intelligence?

Some of the risks in artificial intelligence – or, more accurately, AI systems and tools – are well publicized. For example, AI “hallucinations,” a generative AI tool that creates responses to prompts that have little or no basis in fact, have become legendary. Biased or inaccurate responses are a common issue, and certain AI models have design flaws that can magnify those issues. Additionally, because of the complexity of AI systems, they cannot be treated simply as another form of software.

An AI system is not like a car, or a computer, or a lot of things we use but don’t understand. Or, more accurately, it’s like having a car without understanding what the steering wheel, accelerator and brake do. You are bound to have an accident.

The National Institute for Standards and Technology recently published a “Risk Management Framework” that identifies several risks that are inherent in AI systems. Among other things:

  • Difficulty in Measurement. The risk in using AI systems is difficult to measure, making it challenging to implement a “safe” system.
  • Adapting and Evolving. AI systems are, by their nature, continually adapting and evolving, which may make a risk analysis at one stage in the AI lifecycle inapplicable to a later stage.
  • Lack of Transparency. AI systems are often opaque, lacking in documentation or explanation.

Moreover, a functioning AI system raises risks of inadequate compliance with laws, inadvertent disclosure of personal and business information, and a variety of ethical dilemmas. The takeaway here is that if you cannot identify or measure the risk, you might be unable to manage it.

Managing the Risk.

While eliminating risk might be impossible, it can be managed. Some steps a company can take to control the risk in AI systems include:

  • Understand the system and how you plan to use it. Make sure that you understand the purpose of the AI system and how it will address your needs.
  • Consider compliance. There are a variety of laws and regulations that impact the legal uses of artificial intelligence. Currently, the European Union AI Act, Utah AI Policy Act, and Colorado AI Act all stand out as specific laws geared toward artificial intelligence, but the nature of artificial intelligence is that it can trigger virtually all privacy laws as well as scrutiny by the FTC and state attorneys general. And, just as legislatures and regulators are focusing on privacy rights, they are moving into artificial intelligence regulation as well (even without fully understanding the concepts).
  • Hot button Issues. Recognize that some applications of artificial intelligence are particularly sensitive, such as:
    • Employment decisions;
    • Credit scoring;
    • Training with protected or unlawfully obtained data; and
    • For those in the federal supply chain, the Biden Administration’s AI Executive Order.

There are also actions you can take to limit your risk exposure:

  • Risk Analysis: Despite the challenge, understand how the AI system might create risks to your company. The risks can range from violation of specific artificial intelligence and privacy laws, intellectual property infringement, loss of trade secrets, and reputational harm.
  • Vendor Assessment: Learn as much as you can about who will provide or develop the AI System – its experience, reputation, past projects, and personnel.
  • Training Materials: Find out what data was used to train the AI system and where it came from. Does it include personal information, copyrighted materials, or trade secrets? Did the developer have the right to use the data?
  • Review the Agreement Carefully: As noted above, artificial intelligence systems are different from other software. A careful review of the representations and warranties, indemnification provisions and limitations on liability are essential.
  • Don’t skimp on the Statement of Work: The statement of work (the actual description of what the AI system will do) is key. That is challenging because it’s often the case that an AI system is developed with broad initial goals, making a continuing review of system requirements and goals essential.
  • Have an AI Governance Committee and Policy: Establish a company group with meaningful authority, and with technical and legal expertise, to oversee the use of AI systems and tools.

Artificial Intelligence tools are expected to transform the way we work. They have the potential to automate tasks, improve decision-making, and provide valuable insights into our operations. However, the use of AI tools also presents new challenges in terms of information security and data protection. Adopting AI systems and tools requires preparation and careful thought – don’t just reach for the brightest new penny!

JMBM’s Cybersecurity and Privacy Group counsels’ clients with a commitment to protecting personal information in a wide variety of industries, including accounting firms, law firms, business management firms and family offices, in artificial intelligence implementation and other new technologies, development of cybersecurity strategies, creation of data security and privacy policies and procedures, responding to data breaches and regulatory inquiries and investigations, and crisis management. The Cybersecurity and Privacy Group uses a focused intake methodology that permits clients to get a reliable sense of their cybersecurity readiness and to determine optimal, client-specific approaches to cybersecurity.

 Robert E. Braun is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Clients engage Bob to develop and implement privacy and information security policies, data breach response plans, negotiate agreements for technologies and data management services, and comply with legal and regulatory requirements. Bob manages data breach response and responds quickly to clients’ needs when a data breach occurs. Contact Bob at RBraun@jmbm.com or +1 310.785.5331.

by

Addressing privacy compliance and cybersecurity is becoming more and more challenging for companies. At least 26 states are considering various kinds of data privacy laws. At the same time the rate, depth, and impact of ransomware, wiperware and data breaches has become more intense and more expensive, and there is no indication that the trend will end soon.

Complying with privacy mandates, and preparing for and defending against a data breach, requires knowledge – it requires visibility.

What does that mean? To achieve visibility, an enterprise needs to increase its knowledge of key elements in its infrastructure:

See Your Network

Most C-level executives, other than chief technology officers and chief financial officers, have little knowledge of their network. But understanding what data is stored on the network, how the various parts of the network interact, and who has access to the network (and what kind) is essential to evaluating risks, complying with privacy laws, and preparing and defending against attacks. This means not only knowing what is supposed to be on the network, but the “silent” nodes as well – things like unused servers and the devices that attach to the network, such as personal laptops, smart phones and tablets.

Part of knowing your network also means knowing what is happening on the network. Companies need to know when there is a threat, where it is, and how to contain it. Simply having firewalls and other endpoint security isn’t enough; it’s too easy for hackers to gain access to the network. Being able to “see” what is happening on the network in real time is what can allow a company to defend itself. When a breach is in process, speed is essential.

See Your Data

Surprisingly, many companies are not fully aware of the data they collect, save and process – but this is key to complying with data privacy laws. Companies need to know:

  • What data does the company collect?
  • What data does the company need to collect?
  • How does the company collect data – directly from users, clients, and consumers, or through third parties?
  • Where the company stores its data?
  • How does the company use the data it collects – particularly personal information of individuals, including employees?
  • Who has access to the data?

Continue reading

by

Current information security and risk mitigation approaches are ineffective, and this failure is nowhere more apparent than in critical supply chains – defense, energy, health services, and other key industries. The source of much of the persistent failure to secure supply chains and the success of hackers compromising these vital arteries of commerce is that most organizations do not recognize all of the components and connections that comprise their networks. This blinkered thinking leads to suboptimal measures even when leading information security frameworks are in place. We routinely encounter the following shortcomings in our supply chain security work:

  • 󠄀Inadequate supply chain mapping – Most organizations misperceive or fail to perceive at all the characteristics of their supply chains. As a result, they overlook all kinds of risks and fall prey to hackers regardless of what the organization does to ameliorate risk.
  • 󠄀Failing to test cyber defenses – Many organizations stress security in depth but fall far short on what is, for supply chain purposes, a far more important security element – validation in depth, an all but fatal shortcoming that hackers count on persisting.
  • 󠄀Ignoring OpSec – Organizations place much more emphasis on information security than they do on operational security. This overlooks a multitude of risks associated with their supply chains, one of which is exploits that disrupt operations.
  • 󠄀Focusing on insoluble problems – An organization will never have perfect, if any, visibility into its 3rd and 4th degree of separation vendors. Yet organizations still struggle to find a solution to such problems. But there is no viable solution. Hence, the problem should be viewed not as a problem with a potential solution but rather as an immutable fact, at least for now.
  • 󠄀Expertise Deficit – Current cyber risks are not even remotely aligned with the number of available professionals with the expertise to address these risks. And yet organizations unfairly task their IT groups with responsibility  for supply chain security.

Continue reading

by

2021 was a challenging year in cybersecurity, and there’s no reason to believe that this will end.  As we approach 2022, all businesses large and small need to address some basic issues that impact the security of their systems. and their customers?

  • Vendors. No company stands alone – they depend on a multitude of vendors and third parties to operate.  These range from point-of-sale systems to HVAC operators to property management systems.  Every vendor that has access to company systems – and it’s surprising how many do – presents a threat.  When they have access to a company’s network, that creates an opening for a bad actor.  Even more, each vendor relies on a variety of vendors themselves, which means that every vendor’s vendor that has access to the vendor’s system may also have access to the company’s network.  And as we’ve discovered from the breaches caused by the highly publicized Solar Winds software and the more recently discovered log4j API vulnerabilities, even the most reliable of vendors cannot be blindly trusted.
  • Internet of Things. Internet of things – the elf on the shelf, alarm systems, internet-enabled heating HVAC, solar panels, and public Wi-Fi systems have long been a soft underbelly of cybersecurity.  In the past 10 days, TechCrunch+ reported that “an internet gateway used by hundreds of hotels to offer and manage their guest Wi-Fi networks has vulnerabilities that could put the personal information of their guests at risk.” (https://techcrunch.com/2021/12/17/security-flaws-wifi-gateway-hundreds-hotel/).  The system uses hardcoded passwords that are easy to guess and allow an attacker to gain remote access to the gateway’s settings and databases; they are then able to use that knowledge to access and exfiltrate guest records, or reconfigure the gateway’s networking settings to unwittingly redirect guests to malicious webpages.  This is not something unique to hotels – everything that connects to your system is a potential weak spot in cybersecurity.
  • Social Media. Virtually all companies use  social media to promote their businesses and attract customers.  But social media depends on the collection and use of personal information, and that information can make companies a prime target of bad actors.  Their goal isn’t limited to credit card numbers; these threat actors are looking for personal information that allows them to obtain credentials and infiltrate networks.  When a threat actor gains access to a network – which could be your network – they can pose an existential threat to a business through ransomware, extortion, denial of service and other attacks.

Continue reading

by

Are your cybersecurity management practices reasonable? Do you know your risk tolerance? Are you covering all the cybersecurity bases that make up reasonable cybersecurity?

The California Consumer Privacy Act (CCPA) and other emerging laws require organizations to have “reasonable cybersecurity practices.” The challenge is that there is no accepted definition of exactly what “reasonable” means.

Addressing this challenge, Robert Braun, co-chair of JMBM’s Cybersecurity & Privacy Group, will participate as a panelist for the online interactive program Cybersecure LA2020: A Reasonable Approach to Reasonable Security sponsored by SecureTheVillage.

There is no one size fits all: Whatever “reasonable” is to mean, it must – at the very least – take into account the particular circumstances of the organization and the information it possesses. It would clearly be unreasonable, for example, to hold a small manufacturing company or nonprofit to the same standard as a large bank.

Join SecureTheVillage at CybersecureLA 2020 and learn how to think through your organization’s particular cybersecurity and privacy circumstances … the information you must protect … the laws and regulations governing protection … your own corporate risk-tolerance … and integrate these together into an information security management program that’s reasonable for your organization.

Register Now

Date:   Wednesday, October 28th

Time:   2:30 – 5:00 pm Pacific Time

Who should attend:  Board members. C-Level Executives. CFOs, Chief Risk Officers, Chief Information Security Officers. Anyone in the organization with management responsibility for information security. Trusted advisors.

Learn by doing: CybersecureLA 2020 is organized as an interactive workshop, taking advantage of online event capabilities including small group discussion, polls, surveys, and interactive Q&A.

You will learn to:

  1. Identify your cyber-risk exposure
  2. Explore your cyber-risk tolerance
  3. Know the key elements of reasonable cybersecurity
  4. Leave with a well-defined process to follow in identifying what reasonable security is for your organization.

Register Now For This Informative Program

Robert E. Braun is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Bob helps clients to develop and implement privacy and information security policies, negotiate agreements for technologies and data management services, and comply with legal and regulatory requirements. He helps clients to develop and implement data breach response plans, and he and his team respond quickly to clients’ needs when a data breach occurs. Contact Bob at RBraun@jmbm.com or +1 310.785.5331.

About JMBM’s Cybersecurity and Privacy Group counsels clients in a wide variety of industries, including accounting firms, law firms, business management firms and family offices, in matters ranging from development of cybersecurity strategies, creation of data security and privacy policies, responding to data breaches and regulatory inquiries and investigations, and crisis management. The Cybersecurity and Privacy Group uses a focused intake methodology that permits clients to get a reliable sense of their cybersecurity readiness and to determine optimal, client-specific approaches to cybersecurity.

About SecureTheVillage. The Mission of SecureTheVillage is a Cybersecure Los Angeles.We accomplish our Mission by turning people and organizations into CyberGuardians having the knowledge, skills, and commitment needed to meet the ongoing challenges of cyber crime, cyber privacy and information security. We do this through cybersecurity community building and education. SecureTheVillage also has a second vital objective: To be a role model for other communities. For more information see https://securethevillage.org/.

by

Michael A. Gold, co-chair of JMBM’s Cybersecurity & Privacy Group, will host a panel of industry leading experts for the webinar, The Right Stuff: Validating Reasonable Information Security

Date: Thursday, June 18, 2020

Time: 10 AM – 11:15 AM PDT; 1 PM –  1:15 PM EDT

Register Now

Most organizations have never had to prove that they have reasonable information security. Business and legal pressures are changing this dramatically. The California Consumer Privacy Act exposes businesses that have been breached to serious financial liability when they do not have reasonable information security. With data breaches increasing in scope and damage regardless of the money spent on cybersecurity, businesses will need to validate – in effect prove – that they have reasonable information security in order to avoid financial, legal and reputational harm.

During this webinar, our panel of experts cover:

The meaning of reasonable information security: What is it? Why the established information security frameworks, such as NIST, ISO and CISO,  do not deliver reasonable information security; Why dynamic assessment of an organization’s information security posture is crucial; The impact of overlooked vulnerabilities in cloud and IoT environments.

The legal requirement for validating reasonable information security: The far-reaching impact of the California Consumer Privacy Act’s requirement for reasonable information security practices and procedures; Why the law is a precursor to similar requirements likely to be adopted by other states and the federal government; legal exposures arising from inability to validate reasonable information security.

The business and insurance imperatives for validating reasonable information security: Cyber insurance carriers will no longer take at face value an insured’s representations about its information security posture; Larger enterprises will decline to do business with companies that cannot validate the effectiveness of their information security measures; Regulated companies will no longer be permitted to self-certify their compliance with information security and privacy requirements. Continue reading

by

Robert E. Braun, chair of JMBM’s Cybersecurity & Privacy Group, will be the keynote speaker for the webinar, Privacy and Information Security – Best Practices and Imperatives.

Date: Wednesday, May 27, 2020

Time: 2:00 PM Pacific Time

Register Now Continue reading

by and

Moving to the Cloud to Save Money

The Covid-19 pandemic has created profound challenges for almost every organization. As these challenges mount, companies are dramatically cutting their soft costs, including information security. Many companies are reducing their information security and privacy compliance spending by moving to the cloud. This is good, right? Maybe, and only if the move is managed in a well-informed way. Not asking the right questions up front can lead to serious consequences.

It is crucial to keep in mind that no information security or privacy law in existence today views being in the cloud, in and of itself, as constituting reasonable information security. Nor does any information security or privacy law view the cloud as a mitigating factor in the context of data breaches.

 Increasing Reliance on Cloud Computing

The use of cloud platforms has grown exponentially. One of the results of the work-at-home mandate, which will persist even as work restrictions are relaxed, is the continuing move to cloud computing, both because of the benefits of scalability and the dedicated IT and IS resources afforded by cloud vendors and also the need to conserve financial resources. It is difficult and expensive to maintain onsite information technology and information security operations and staff. Cloud computing reduces costs and increases accessibility.

Moving to the cloud, however, does not eliminate all risks – some hazards go away but others are introduced. Cloud environments are vulnerable if end-users fail to observe proper security hygiene – vulnerabilities at the end-user level will create vulnerabilities in the cloud environment. It is imperative as well that the cloud vendor has appropriate information security and privacy compliance measures in place. Many smaller cloud vendors and service providers who use the cloud have deficient information security and privacy compliance frameworks, assuming they have any in place at all. Many organizations, especially small and medium sized businesses, seldom evaluate whether their vendor’s cloud is a safe place to be.

Getting the move to a cloud environment right is crucial. The security and availability of an organization’s data is important for both operational and business continuity reasons. Moving to a cloud is no excuse for taking eyes off of information security or for lax privacy compliance. Continue reading

by

Leonard Lee of Thomson Reuters Legal Current interviewed Bob Braun, Co-chair of JMBM’s Cybersecurity & Privacy Group for a podcast titled, “Are You Practicing Social Media Hygiene?”

Listen to the podcast here.

In this brief podcast (18:28 minutes), Bob Braun discusses the risks that both companies and individuals face when posting information on social media.

Braun describes situations in which hackers spoof a company’s boss, based on real-time information posted on social media, resulting in unrecoverable monetary losses for the company.

“Posting information about yourself on social media can be used by a hacker to fool you or people you know,” he said.

Braun covers issues that individuals and employees should be aware of when using social media, including email.

“Sophisticated programs are easily available on the dark web. We are dealing with bad actors who are extremely skilled and creative,” he said.

“Habits on social media have to be consistent in business and personal lives.”

Listen to the podcast here. Continue reading

by

Robert E. Braun and Michael A. Gold, co-chairs of JMBM’s Cybersecurity & Privacy Group, will participate as panelists on the webinar, What is Reasonable Information Security?

Date:   Thursday, April 23, 2020
Time: 10:00 AM – 11:30 AM Pacific Time

Register Now

JMBM’s cybersecurity lawyers, along with a cybersecurity consultant, a Chief Information Security Officer, and a cyber compliance expert will address the following questions about reasonable information security:

  • What isn’t it?
  • What is it?
  • What does the legal landscape look like?
  • Is it a realistic goal?
  • How does it impact my 3rd party risk policies and practices?

Moderator:

Sean Weppner – Chief Strategy Officer, Nisos

Panelists:

Robert E. Braun – Partner and Co-chair of JMBM’s Cybersecurity & Privacy Group
Michael A Gold – Partner and Co-chair of JMBM’s Cybersecurity & Privacy Group
Art Ehuan – Vice President, Crypsis
Gerald Beuchelt – CISO, LogMeIn
Greg Kruck – Director, Sales Engineering, CyCognito

Register Now for This Informative Program

 

Robert E. Braun is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Bob helps clients to develop and implement privacy and information security policies, negotiate agreements for technologies and data management services, and comply with legal and regulatory requirements. He helps clients to develop and implement data breach response plans, and he and his team respond quickly to clients’ needs when a data breach occurs. Contact Bob at RBraun@jmbm.com or +1 310.785.5331.

Michael A. Gold is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Known for both legal expertise and an understanding of technology, he works with Boards of Directors, C-Suite executives, and IT directors to address cyber risks. He advises clients on domestic and international requirements for information privacy and security. He represents companies in complex litigation and arbitrations, including class action defense actions connected with data breach and privacy claims. Contact Mike at MGold@jmbm.com or +1 310.201.3529.

JMBM’s Cybersecurity and Privacy Group counsels clients in a wide variety of industries, including accounting firms, law firms, business management firms and family offices, in matters ranging from development of cybersecurity strategies, creation of data security and privacy policies, responding to data breaches and regulatory inquiries and investigations, and crisis management. The Cybersecurity and Privacy Group uses a focused intake methodology that permits clients to get a reliable sense of their cybersecurity readiness and to determine optimal, client-specific approaches to cybersecurity.