Monday, February 16, 2015
Diligence requires understanding of the risks.
Cybersecurity and Privacy Diligence in a Post-Breach World
Posted by Paul Ferrillo, Weil, Gotshal & Manges LLP, on Sunday February 15, 2015 – The Harvard Law School Forum on Corporate Governance and Financial Regulation.
“Editor’s Note: Paul A. Ferrillo is counsel at Weil, Gotshal & Manges LLP specializing in complex securities and business litigation. This post is based on a Weil Alert authored by Mr. Ferrillo and Randi Singer; the complete publication, including footnotes, is available here.
Thus, it is absolutely critical to understand what kind of data a company collects, how the company uses, stores, shares, processes, protects, and disposes of information, and how to develop and evaluate a plan to respond to attacks that target these data. Proper planning can mean the difference between a news story that begins, “Sony has just announced that Sony Pictures Entertainment co-chairman Amy Pascal is stepping down from her post,” and one that announces a major cyber-attack, but concludes, “Anthem said it doesn’t expect the incident to affect its 2015 financial outlook, ‘primarily as a result of normal contingency planning and preparation.’” Proper planning includes incident response and information management business continuity planning, which are mission-critical. They are (or should be) part of a Board’s enterprise risk management duties, and they are particularly vital for certain federally-regulated entities with an obligation to protect consumer and client information and to keep it private. We have written in-depth elsewhere about incident response plans and their elements. Here, we set forth a high-level summary designed to help evaluate a company’s incident response and business continuity plans…”
[From the publication:
As there is no silver bullet in a constantly-evolving environment where hackers are often several steps ahead of cybersecurity professionals (or at least adapt quickly to new security measures), a lawyer conducting due diligence on a company’s incident response plan should evaluate the approach and process of the plan.
“You ain't seen nothing yet!”
Data breaches of over 1 billion records in 2014
CNBC – “Over a billion personal data records were compromised by cyberattacks in 2014, a new report has revealed, driven by high-profile breaches on Home Depot, JPMorgan and eBay. The 1,023,108,267 records breached in 2014 came from just 1,541 incidents, according to the Breach Level Index report by digital security company Gemalto. It marked a 78 percent surge in the number of personal data records compromised compared to 2013. Last year saw a number of major hacking attacks on companies including Sony Pictures Entertainment and investment bank JPMorgan. The biggest incident occurred when AliExpress, a service run by New York-listed Alibaba, was breached, leaving 300 million personal records open to hackers, who didn’t need passwords to access the accounts.”
Gemalto Releases Findings of 2014 Breach Level Index – February 12, 2015 ─ Gemalto, the world leader in digital security, releases the latest findings of the Breach Level Index, revealing that more than 1,500 data breaches led to one billion data records compromised worldwide during 2014. These numbers represent a 49% increase in data breaches and a 78% increase in data records that were either stolen or lost compared to 2013. Continuing with this industry-leading benchmarking from SafeNet following its acquisition by Gemalto, the Breach Level Index (BLI) is a global database of data breaches as they happen and provides a methodology for security professionals to score the severity of breaches and see where they rank among publicly disclosed breaches. The BLI calculates the severity of data breaches across multiple dimensions based on breach disclosure information. According to data in the BLI originally developed by SafeNet, the main motivation for cybercriminals in 2014 was identity theft with 54% of the all data breaches being identity theft-based, more than any breach category including access to financial data. In addition, identity theft breaches also accounted for one-third of the most severe data breaches categorized by the BLI as either Catastrophic (with a BLI score of between 9.0 and 10) or Severe (7.0 to 8.9). Secure breaches, which involved breaches of perimeter security where compromised data was encrypted in full or in part, increased to 4% from 1%.”
For my Computer Security students.
An introduction to social engineering was released by the UK Computer Emergency Response Team (CERT) on January 21, 2015:
Social engineering is a prolific and effective means of gaining access to the secure systems and sensitive information of an organisation. Attacks vary from bulk phishing emails to highly targeted, multi-layered techniques. These attacks often prey on common aspects of human psychology such as curiosity and greed and do not necessarily require a great deal of technical ability.
Organisations need to be aware of this unique cyber-threat and take precautions to prevent falling victim to a social engineering attack and respond appropriately if the worst happens. This paper provides readers with an overview of the techniques used and the steps that can be taken to help you protect your organisation’s information.
The paper includes an overview wide-scale attacks such as phishing and baiting, as well as focused attacks involving spear phishing, watering hole attacks, attacking on multiple fronts, and physical baiting.
You can download the paper from CERT-UK (pdf, 10 pp.)
Also for my Computer Security students (but this is less useful) The full text.
Presidential Memorandum: Promoting Economic Competitiveness While Safeguarding Privacy, Civil Rights, and Civil Liberties in Domestic Use of Unmanned Aircraft Systems
An interesting question (for my students? TBD) Can you protect your children for social media?
White House Investigating Origins of Malia Obama's Mysterious Instagram Pic
It's a national mystery that has left both the social media world and the Secret Service scratching their heads.
On Sunday night, a photo of what appears to be Malia Obama wearing a Pro Era shirt surfaced on Instagram. It quickly went viral after the Brooklyn-based hip-hop collective posted the pic to advertise its online store.
… Michelle Obama has been very vocal in the past about how she regulates her daughters' social media usage. She told Barbara Walters in 2013 that Malia could only use Facebook, and Sasha was banned from all forms of social media in an effort to protect the girls from the public eye.
If you want privacy, don't use a phone?
Michael Geist writes about an issue I’ve commented on before:
In October 2013, Bell announced the launch of a targeted advertising program that uses its customers’ personal information to deliver more “relevant advertising.” The announcement sparked hundreds of complaints with the Privacy Commissioner of Canada and a filing by the Public Interest Advocacy Centre over the same issue with the Canadian Radio-television and Telecommunications Commission.
Nearly a year and a half later, the complaints and filings remain unresolved. The CRTC case has succeeded in placing considerably more information on the public record, however, offering a better perspective on what Bell is doing and why its privacy approach falls short.
Read more on Toronto Star.
[From the article:
From Bell’s perspective, the targeted advertising approach, which it calls RAP or Relevant Ads Program, does not involve the collection of additional information (it already collects whatever is being used)
Once upon a time, Scifi promised a flying car in every garage. No one was talking about a three dimensional traffic grid. Now we have to sift through all potential uses for drones and try to establish rules and safety protocols. If my students could write software that forced drones to follow the rules, would Amazon be allowed to deliver dog food to my back porch?
No Amazon Deliveries by Drone, At Least Not For Awhile
… “This is not the last word, by any means,” Michael Huerta, chief of the U.S. Federal Aviation Administration, told reporters on a conference call Sunday from Washington.
For the time being, the FAA has concluded that small drones for hire must be flown within sight of an operator and away from crowds for safety reasons.
After the first couple (maybe three) rounds of sanctions, you run out of sanctions that might actually hurt and you find yourself reduced to minor functionaries and B list entertainers?
Russian singer, deputy ministers top new EU sanctions list
An article my students can translate for businesses (and students)
Social Media Strategies for Consultants: Facebook
Am I creating Data Scientists or merely Analysts. (Is “merely” “good enough?”)
Are Data Scientists Really a Breed Apart?
… Companies are hungry for data scientists to make sense of the information they’ve compiled, putting these particular analysts in high demand. “Today’s data scientists are often singled out as a breed apart — and for good reason,” argue Harris and Mehrotra. “They tend to be better programmers than most statisticians and better statisticians than most programmers.”
Types of data:
Analysts: Structured and semistructured, mostly numeric data
Data Scientists: All types, including unstructured, numeric and nonnumeric data (such as images, sound, text)
Nature of work:
Analysts: Report, predict, prescribe and optimize
Data Scientists: Explore, discover, investigate and visualize
The research also explored the challenges of managing data scientists. A common complaint is that data scientists “don’t see a need to explain or talk about the implications of their insights, which makes it difficult for them to partner effectively with professionals whose business expertise lies outside of the technical realm.”
For more on Harris and Mehrotra’s research, including their seven recommendations for how to manage data scientists for maximum business value, read the full article. And for thoughts about how companies can automate the data scientist function, read Michael Fitzgerald's recent blog post "Data Scientist In a Can?."
For my researching students.
50 Google Search Tips & Tricks
By Craig Lloyd:
… you can take advantage of a ton of other Google Search features that go well beyond just the text box. Google supports a ton of cool tricks that you can use in order to be better at searching for something and quickly find what you’re looking for. Using things like boolean terms and even some symbols can help you perform better searches on Google, and by the time you get done going through this list, you’ll be a Google Search master (or a reasonable facsimile thereof).”