Diligence
requires understanding of the risks.
Cybersecurity
and Privacy Diligence in a Post-Breach World
Posted
by Paul Ferrillo, Weil, Gotshal & Manges LLP, on Sunday February
15, 2015 – The Harvard Law School Forum on Corporate Governance
and Financial Regulation.
“Editor’s
Note: Paul
A. Ferrillo is counsel at Weil, Gotshal & Manges LLP
specializing in complex securities and business litigation. This
post is based on a Weil Alert authored by Mr. Ferrillo and Randi
Singer; the complete publication, including footnotes, is
available here.
Thus, it is absolutely critical to understand what kind of data a
company collects, how the company uses, stores, shares, processes,
protects, and disposes of information, and how to develop and
evaluate a plan to respond to attacks that target these data. Proper
planning can mean the difference between a news story that begins,
“Sony has just announced that Sony Pictures Entertainment
co-chairman Amy Pascal is stepping down from her post,” and one
that announces a major cyber-attack, but concludes, “Anthem said it
doesn’t expect the incident to affect its 2015 financial outlook,
‘primarily as a result of normal contingency planning and
preparation.’” Proper planning includes incident response and
information management business continuity planning, which are
mission-critical. They are (or should be) part of a Board’s
enterprise risk management duties, and they are particularly vital
for certain federally-regulated entities with an obligation to
protect consumer and client information and to keep it private. We
have written in-depth elsewhere about incident response plans and
their elements. Here, we set forth a high-level summary designed to
help evaluate a company’s incident response and business continuity
plans…”
[From
the publication:
As
there is no silver bullet in a constantly-evolving environment where
hackers are often several steps ahead of cybersecurity professionals
(or at least adapt quickly to new security measures), a lawyer
conducting due diligence on a company’s incident response plan
should evaluate the approach and process of the plan.
“You
ain't seen nothing yet!”
Data
breaches of over 1 billion records in 2014
CNBC
– “Over a billion personal data records were compromised by
cyberattacks in 2014, a new report has revealed, driven by
high-profile breaches on Home Depot, JPMorgan and eBay. The
1,023,108,267 records breached in 2014 came from just 1,541
incidents, according to the Breach Level Index report by digital
security company Gemalto. It marked a 78 percent surge in the number
of personal data records compromised compared to 2013. Last year saw
a number of major hacking attacks on companies including Sony
Pictures Entertainment and investment bank JPMorgan.
The biggest incident occurred when AliExpress, a service run by New
York-listed Alibaba, was breached, leaving 300 million personal
records open to hackers, who didn’t need passwords to access the
accounts.”
Gemalto
Releases Findings of 2014 Breach Level Index – February 12,
2015 ─ Gemalto, the world leader in digital security, releases the
latest findings of the Breach
Level Index, revealing that more than 1,500 data breaches led to
one billion data records compromised worldwide during 2014. These
numbers represent a 49% increase in data breaches and a 78% increase
in data records that were either stolen or lost compared to 2013.
Continuing with this industry-leading benchmarking from SafeNet
following its acquisition by Gemalto, the Breach Level Index (BLI) is
a global database of data breaches as they happen and provides a
methodology for security professionals to score the severity of
breaches and see where they rank among publicly disclosed breaches.
The BLI calculates the severity of data breaches across multiple
dimensions based on breach disclosure information. According to data
in the BLI originally developed by SafeNet, the main motivation for
cybercriminals in 2014 was identity theft with 54% of the all data
breaches being identity theft-based, more than any breach category
including access to financial data. In addition, identity theft
breaches also accounted for one-third of the most severe data
breaches categorized by the BLI as either Catastrophic (with a BLI
score of between 9.0 and 10) or Severe (7.0 to 8.9). Secure
breaches, which involved breaches of perimeter security where
compromised data was encrypted in full or in part, increased to 4%
from 1%.”
For
my Computer Security students.
An
introduction to social engineering
was released
by the UK Computer Emergency Response Team (CERT) on January 21,
2015:
Social
engineering is a prolific and effective means of gaining access to
the secure systems and sensitive information of an organisation.
Attacks vary from bulk phishing emails to highly targeted,
multi-layered techniques. These attacks often prey on common aspects
of human psychology such as curiosity and greed and do not
necessarily require a great deal of technical ability.
Organisations
need to be aware of this unique cyber-threat and take precautions to
prevent falling victim to a social engineering attack and respond
appropriately if the worst happens. This paper provides readers with
an overview of the techniques used and the steps that can be taken to
help you protect your organisation’s information.
The
paper includes an overview wide-scale attacks such as phishing and
baiting, as well as focused attacks involving spear phishing,
watering hole attacks, attacking on multiple fronts, and physical
baiting.
You
can download the paper from CERT-UK
(pdf, 10 pp.)
Also
for my Computer Security students (but this is less useful) The full
text.
An
interesting question (for my students? TBD) Can you
protect your children for social media?
White
House Investigating Origins of Malia Obama's Mysterious Instagram Pic
It's
a national mystery that has left both the social media world and
the Secret Service scratching their heads.
On
Sunday night, a photo of what appears to be Malia Obama wearing a Pro
Era shirt surfaced on Instagram. It quickly went viral after the
Brooklyn-based hip-hop collective posted the pic to advertise its
online store.
…
Michelle Obama has been very vocal in the past about how she
regulates her daughters' social media usage. She told
Barbara Walters in 2013 that Malia could only use Facebook, and
Sasha was banned from all forms of social media in an effort to
protect the girls from the public eye.
If
you want privacy, don't use a phone?
Michael
Geist writes about an issue I’ve commented
on before:
In
October 2013, Bell announced the launch of a targeted advertising
program that uses its customers’ personal information to deliver
more “relevant advertising.” The announcement sparked hundreds
of complaints with the Privacy
Commissioner of Canada and a filing by the Public
Interest Advocacy Centre over the same issue with the Canadian
Radio-television and Telecommunications Commission.
Nearly a year and a half later,
the complaints and filings remain unresolved. The CRTC case has
succeeded in placing considerably more information on the public
record, however, offering a better perspective on what Bell is doing
and why its privacy approach falls short.
Read
more on Toronto
Star.
[From
the article:
From
Bell’s perspective, the targeted advertising approach, which it
calls RAP or Relevant Ads Program, does not involve the collection of
additional information (it
already collects whatever is being used)
Once
upon a time, Scifi promised a flying car in every garage. No one was
talking about a three dimensional traffic grid. Now we have to sift
through all potential uses for drones and try to establish rules and
safety protocols. If my students could write software that forced
drones to follow the rules, would Amazon be allowed to deliver dog
food to my back porch?
No
Amazon Deliveries by Drone, At Least Not For Awhile
…
“This is not the last word, by any means,” Michael Huerta, chief
of the U.S. Federal Aviation Administration, told reporters on a
conference call Sunday from Washington.
For
the time being, the FAA has concluded that small drones for hire must
be flown within sight of an operator and away from crowds
for safety reasons.
After
the first couple (maybe three) rounds of sanctions, you run out of
sanctions that might actually hurt and you find yourself reduced to
minor functionaries and B list entertainers?
Russian
singer, deputy ministers top new EU sanctions list
An
article my students can translate for businesses (and students)
Social
Media Strategies for Consultants: Facebook
Am I
creating Data Scientists or merely Analysts. (Is “merely” “good
enough?”)
Are
Data Scientists Really a Breed Apart?
… Companies
are hungry for data scientists to make sense of the information
they’ve compiled, putting these particular analysts in high demand.
“Today’s data scientists are often singled out as a breed apart
— and for good reason,” argue Harris and Mehrotra. “They tend
to be better programmers than most statisticians and better
statisticians than most programmers.”
Types
of data:
Analysts:
Structured and semistructured, mostly numeric data
Data
Scientists: All types, including unstructured, numeric and nonnumeric
data (such as images, sound, text)
Nature of work:
Analysts: Report, predict,
prescribe and optimize
Data Scientists: Explore,
discover, investigate and visualize
The
research also explored the challenges of managing data scientists. A
common complaint is that data scientists “don’t see a need to
explain or talk about the implications of their insights, which makes
it difficult for them to partner effectively with professionals whose
business expertise lies outside of the technical realm.”
For
more on Harris and Mehrotra’s research, including their seven
recommendations for how to manage data scientists for maximum
business value, read
the full article. And for thoughts about how companies can
automate the data scientist function, read Michael Fitzgerald's
recent blog post "Data
Scientist In a Can?."
For
my researching students.
50
Google Search Tips & Tricks
By
Craig
Lloyd:
…
you can take advantage of a ton of other Google Search features that
go well beyond just the text box. Google
supports a ton of cool tricks that you can use in order to be
better at searching for something and quickly find what you’re
looking for. Using things like boolean terms and even some symbols
can help you perform better searches on Google, and by the time you
get done going through this list, you’ll be a Google Search master
(or a reasonable facsimile thereof).”
No comments:
Post a Comment