by

Cyber risk affects businesses of every size and industry. A data breach can lead to negative publicity, loss of customer confidence and potential lawsuits. There can be a variety of unanticipated – and costly – business disruptions.

Just ask the owners of the Romantik Seehotel Jaegerwirt hotel, in the Austrian Alps, which recently had their systems frozen by hackers, resulting in the complete shutdown of hotel computers. The hackers breached the hotel’s key card system, making it impossible for guests to enter their rooms and preventing the hotel from reprogramming the cards.

The hackers did not scrape guests’ credit card data, as has happened with other hotel data breaches, but instead demanded a ransom payable in Bitcoin. The Romantik Seehotel Jaegerwirt – which was fully occupied at the beginning of ski season – paid the ransom, at which time control of the key card system was restored.

While highly disruptive, it’s easy to imagine how it could have been worse. Fortunately, the hotel located and fixed the backdoor left by the hackers (which the hackers tried to exploit almost immediately) and secured their systems.

Vulnerability to hackers seeking to take control of a building’s system is a very real threat to organizations of all kinds: hospitals, hotels, law firms, research facilities, banks, retailers – virtually any kind of business that is housed in a “smart” building. Continue reading

by

human-firewall-superhero-300x166One of the great frustrations in contemplating a data security program is that there is no such thing as a one-size-fits-all solution.  There is no law or regulation that specifies the exact steps a company needs to take in order achieve data security.  While there are some regulatory and industry recognized compliance programs – like health law requirements under HIPPA and the data security standards established by the Payment Card Industry – these provide compliance guidelines, not actual data security.  And these compliance guidelines themselves emphasize that each firm must establish security standards which meet the requirements of their business operations.

The fact is that data security, like any kind of security, requires a clear understanding of the unique needs and operations of a company.  Every company has different information requirements and standards as to the information it collects, how it retains and how it uses that information.  Consequently, data security can only be achieved by understanding what a particular firm does, not what is common or typical in an industry.

Assessment Defines Approach

Another factor is that while it is common to look at data security as a technical issue, technical compliance addresses only part of the goal; any review of data breaches will show that individuals – the human factor – are the most common source of insecurity.  This is not just due to the possibility of an employee clicking on the wrong website or responding to the wrong email; human error can start at the point that a data security plan, and its technical components, are contemplated.  Without understanding the scope of the company’s data security requirements, those selecting and implementing the “solution” will find that they have not addressed the security challenges.

Continue reading

by

December is the month for predictions.  During this month, commentators of all sorts and in all areas predict the trends and actions that will impact us during the coming year.  While speculating the future is a questionable pursuit, we at the Cybersecurity Lawyer Forum would hate to be left out of the fun.   With that in mind, a few thoughts on what we might expect in the year to come.

National Cybersecurity Legislation

Legislation in the United States is less an exercise in establishing comprehensive systems than in reacting to events; much legislation tends to be anecdotal and designed to fit the day’s headlines.  Moreover, legislation is a curious process, and even with the Congress and White House held by the same party, legislation is hard to pass.

Cybersecurity legislation faces additional hurdles.  It is not always the highest priority for lawmakers, especially during a year when an entirely new administration must be established, and when the campaign promises of the last year did not include cybersecurity as a priority. Continue reading

by

 

Over the past several years, the Federal Trade Commission has emerged as the de facto national regulator of online security and privacy. While banking and health regulators hold sway over their specific industries, the FTC has used its authority, granted under Section 5 of the Federal Trade Commission Act to address unfair or deceptive acts or practices, the FTC has pursued companies that it believes have misleading privacy statements, or fail to secure personal customer information, and brought actions and entered into settlements with a variety of companies, including hotels, data service providers, retailers and others. In most cases, the defendants have settled to avoid expensive and damaging litigation.

One of the few companies that chose not to settle was LabMD. LabMD was a medical testing company that specialized in cancer detection. Between 2005 and 2008, one of LabMD’s administrative employees ran LimeWire, a peer-to-peer file sharing application, on her computer. The configuration of the application allowed (unintentionally) sensitive files on her computer to be shared on the LimeWire network and made public. This vulernerability was discovered by an independent security consulting company, Tiversa, whose business model is to search for possible security breaches and offer to fix them for a fee. Tiversa, upon discovering the vulnerability, stole a file containing insurance records for approximately 9,300 patients as evidence of the vulnerability and sought to have LabMD hire them. After LabMD refused to engage Tiversa,  Tiversa reported LabMD’s vulnerability to the FTC. Continue reading

by

3679571-business-peopleOne of the challenges – perhaps the biggest challenge – to achieving cybersecurity is complexity.  Every day we are faced with new threats as hackers display their creativity and new technologies and approaches to addressing those threats.  Governments, both U.S. and foreign, regularly propose laws and regulations better to protect us – and to confuse us.  And underlying all of it is technical language which seems designed to prevent us from understanding the challenge of cybersecurity.

It’s no wonder that one of the things our clients most often ask is where to start – what is one thing that they can do to start the process of becoming cybersecure.  And the fact is that there is one thing that will put you on the road to cyber security:  Creating a culture of security.

While many firms claim to have a “culture of security,” it’s unclear that they have made the commitment to engage every aspect of their operations, and every one of their personnel, in the goal of creating a cybersecure environment.  Cybersecurity requires a firm to create in each of its personnel a “human firewall.”

An enterprise-wide focus on security requires a focus on people, not on technology.  However important security technology may be – and we do not suggest that a company skimp on its technology budget! – most technological defenses can be overcome by individuals, whether through lack of training, negligence, or malice.  Consequently, bringing individuals into the cybersecure culture and making them stakeholders will have an immediate and measurable impact on cybersecurity efforts.

So, then, how is a cybersecure culture achieved?  A few essential steps are required: Continue reading

by

Digital Padlock on Circuit Background - Web Security Concept

California adopted the first data breach notification law in the nation in 2002, and has consistently worked to ensure that its law remains at the forefront of data security laws in the United States.  California burnished this reputation on September 13, 2016, when Governor Jerry Brown signed AB 2828, sponsored by Legislator Ed Chau.  This law amends California’s data breach notification law, Civil Code Section 1798.82, by making significant changes to the reporting requirements for businesses who hold personal information that has been compromised.

Prior to the adoption of AB 2828, California, like most other states, did not require businesses to disclose breaches where “encrypted” information is breached.  AB 2828 will, effective January 1, 2017, require businesses to disclose breaches when encrypted information has been acquired in an unauthorized breach if the encrypted data is leaked together with the encryption key or security credential that “could render that personal information readable or useable.”

Encryption Safe Harbor

The exception for encrypted personal data has been part of California law since its adoption; however, it had a potentially significant flaw:  even if the key to encrypted data was disclosed, making it readable by hackers and other bad players, the business was not obligated to issue a notice to affected individuals.  In other words, even when encrypted information was, in fact, readable, a business was not required to report a breach.  The result was that some individuals whose personal information was disclosed never received notice and could not take steps to protect their financial information or identity.

The Electronic Frontier Foundation, in support of AB 2828, said that “AB 2828 would fill an important gap in California’s current data breach notification law.  A thief might steal an encrypted laptop, along with a note carelessly taped to the device stating the decryption password.  Or a thief might remotely steal encrypted data, and later use social engineering to acquire the security credentials. In these and many other circumstances, wrongdoers will acquire both encrypted personal information and the power to decrypt that information.  In such circumstances, people should be notified that they are at risk of wrongdoers misusing their personal information.”

When AB 2828 becomes effective, that data that has been converted into code so as to be readable only by those who have the encryption key to decode it will be subject to the broad terms of California’s disclosure law.  While AB 2828 patches a potential flaw in the law – encrypted data is no longer protected if one holds the key – it also creates a challenge for many businesses. Continue reading

by

I’m attending the Arthur J. Gallagher Risk Management Roundtable on September 12 and 13 at the Intercontinental Hotel  in New Orleans, where Alex Ricardo of Beazley and I will be speaking on Cybersecurity in the Hospitality Industry tomorrow morning.  I’ll be leading a discussion of the unique privacy and security issues facing hotels, managers and owners, the legal issues facing hotels, director and officer concerns, and the importance of preparing for the inevitable breach.

Cybersecurity is one of the biggest issues facing hotels – barely a day goes by without the report of another hotel chain being targeted, and for good reason; hotels have many of the openings that hackers look for, including multiple systems, wide access to WiFi (with limited or no security), valuable data, large numbers of employees and vendors with access to hotel systems, and customers that, unwittingly, can aid in carrying out a breach.

If you are interested in a copy of my presentation, you can reach me at rbraun@jmbm.com.

 

by

3679571-business-peopleParalysis is one of the biggest obstacles to achieving a cybersecure environment.  Companies are often unable to take the steps necessary to bring security to an enterprise. It’s not only common; it’s entirely understandable.

Achieving cybersecurity appears to be an overwhelming task. Every day brings another headline announcing a data breach, or reports on the enormous cost of data breaches – one has to wonder if implementing a cybersecurity regime would even achieve its goal. Companies are challenged by the complexity of their systems and the seemingly impenetrable jargon used to describe them.  Funding a cybersecurity program is a challenge – as one CEO put it, “I gave my team an unlimited budget, and they exceeded it.”  Spending valuable time and scarce resources on security takes away from operations that ground an enterprise. Companies fear that focusing on cybersecurity can only come at the expense of their core operations.

Continue reading

by

Digital Padlock on Circuit Background - Web Security Concept

Spring is the season for many things, including the publication of cybersecurity surveys. In the past few months, Verizon has published its Data Breach Investigations Reports, Ponemon Institute Published its 2016 Study on How Organizations Manage Data Breach Exposures, the California Attorney General published its annual California Data Breach Report, and a variety of others have published reports describing the state of cybersecurity and privacy, and the threats individuals and businesses face in online security. While the reports each contain important facts and focus on different aspects of cybersecurity, they also have some key lessons for enterprises that focus on risk reduction:

Continue reading

by

Businessman drawing a circle around people icons - Marketing and consumer target groups conceptIn Michael Gold’s commentary, “Still Only Human,” published in the July 18, 2016 edition of the Los Angeles Business Journal, he writes:

“Cybercrime cost the world economy about $500 billion in 2015 and this year’s numbers will be even higher. The cost of data breaches is projected to reach $2.1 trillion globally by 2019. Worldwide spending on information security is estimated to have been $77 billion last year. In the midst of these astounding numbers, the role of the “human factor” gets lost. This is a frightening fact.”

Large companies can spend a small fortune on cyber defense. But Gold points out that cybersecurity is not just a “tech” issue – it is a “human” issue, as well. One careless or uninformed employee can click on a link that gives hackers access to sensitive personal and financial data, as well as a company’s vital intellectual property.

Continue reading