Worried couple checking credit account onlineThe grousing began within 24 hours of Equifax’s announcement, last Thursday, of its massive data breach that compromised personal data of over 140 million U.S. consumers.  I’m generally unsympathetic about such complaints (“We’re shocked – SHOCKED – that in a breach affecting 140+ million people, we’re having trouble immediately reaching a live person at the phone bank!  And the breach website is not operating smoothly!”). Usually only Louis CK’s masterpiece “Everything’s Amazing – and Nobody’s Happy” can coax me out of my grumpy place.

But as post-announcement events have unfolded, some of the initial criticism appears to have legs:
Continue Reading

Young woman who's forgot her passwordAt last!!!  A good reason not to create dozens of hard-to-remember passwords!  The updated National Institute for Standards and Technology guidance on creating passwords has been out for a while now, but the word has been slow in trickling down to end users.  It’s time to pay attention, because the recommendations represent a huge departure from standard practice.  First, the good news:

The good

NIST is part of the US Department of Commerce and an authoritative standards-making body.  It is the entity that wrote the primer on how to create all those complex and hard-to-remember passwords in the first place. You know, passwords like *Pa$$w)rd3!  NIST now acknowledges through this publication that the old rules affected usability negatively. It also turns out that passwords composed of a few common words strung together are far stronger than upper-lower-numbers-characters passwords, so the old way was less secure than we thought.

It’s big news then that NIST has seen the error of its ways and now recommends creating passwords we can remember.  Even more important, it also now recommends that a password not be changed unless there is an indicator it has been compromised or forgotten by the user.  Of course, being the government, calling a password a password is just too hard.  The term in NIST SP800-63B 2017 is “Memorized Secret Authenticator.”  Whatever you choose to call it, user guidance is simple:
Continue Reading

White WalkerA swarm of zombies, led by Byte Walkers, surges inexorably onward to penetrate a massive perimeter wall by force and stealth.  Sounds like Game of Thrones, right?  Instead, this is our cyberthreat reality. And in an ironic twist that would make George R. R. Martin blush under his beard, it’s now painfully real for HBO, which recently acknowledged suffering a massive cyber intrusion through which hackers claim to have stolen up to 1.5 terabytes of proprietary data, including Game of Thrones future epsodes.

First Sony, then Netflix, and now HBO – what’s a Westerosi to make of this?
Continue Reading

Hurricane between Florida and CubaHurricane season is in full swing.  As I write this, Tropical Storm Emily is drenching Florida, and the governor has declared a state of emergency.  Having lived in Florida myself, I know that most coastal residents do take hurricanes seriously.  There are always those, however, who either don’t grasp the possibility that if a hurricane hits they can suffer real damage, or simply play the odds that it won’t happen to them.  Hurricane readiness for them is a bottle of Cuervo Reserva and some DVDs for entertainment in case the power goes out.  And so, too, it goes with data breaches.

Breach readiness today ranges from total denial, through half-hearted attempts at maintaining current backups, to—for a minority—sophisticated IT security teams and technology ready to detect, respond, and recover.  Even the technologically prepared, though, have likely not planned beyond containment and recovery.  Consider our hurricane scenario.  Minimal readiness includes necessities for riding out the storm: an evacuation plan, water, food, flashlights, medical supplies, and so on.  Those things should get you through the first 48 hours, much like the immediate IT response to a data breach.  But what next?


Continue Reading

Business woman screaming at laptopMany years ago, before common sense kicked in, I thought it would be a good idea to rent a storage space for all the extra furniture and other stuff I could not fit in my new house.  Knowing it would only be temporary, I stashed everything from upholstered and leather furniture, to boxes of books.  Fast forward twelve months.  The rental agreement was expiring, and I realized that I would never need nor have room for all that I’d stored, so I decided to have a sale to dispose of it.  When I went to the storage space I was horrified to see that everything was covered in a thin film of mold.  (This was years before climate-controlled storage was widely available.)  I had no choice but to trash it all, which both cost me money and prevented me from converting my goods to profit.

I was reminded of this long-ago event when I heard about the latest ransomware attack.  We’ve been reminded countless times of the importance of backup, and ransomware is only the most recent reason.  If you have ever had a hard drive fail, you know the pain that comes with irretrievable data.

So what happens when your backup media fails.? Or your archival media?  Don’t CDs last forever?
Continue Reading

checklistIt’s a common complaint – most U.S. laws requiring data security never cough up the specifics of what must be done to comply. Unlike other areas of business regulation, data security requirements seem hopelessly vague:

  • Several states’ PII laws require businesses to implement and maintain “reasonable security procedures and practices” to protect PII from unauthorized access, destruction, use, modification, or disclosure.
  • Regulations under the Gramm-Leach-Bliley Act compel financial institutions to have a “reasonably designed”comprehensive information security program with administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of customer information.
  • FACTA regulations require that consumer report information be disposed of “by taking reasonable measures to protect against unauthorized access to or use of the information….”
  • HIPAA covered entities and business associates must address the security standards for ePHI in a way that protects against “reasonably anticipated threats or hazardsto ePHI security or integrity.
  • The FTC enforces reasonable data security under Section 5 of the FTC Act, which prohibits unfair and deceptive acts in commerce, without explicitly mentioning data security and without any supporting regulatory standards for specific data safeguards.

Obviously, we can’t just put “remember to have reasonable data security” in a compliance checklist or internal audit protocol, because “reasonable” tells us nothing concrete about what specific security controls are needed to be compliant.  So, why do these laws stop short of telling us specifically what to do?


Continue Reading

Lawyer holding a target on his faceWhile preparing for an upcoming presentation for in-house lawyers on data security, I dusted off the events of three months ago, when Yahoo! Inc. unceremoniously fired its general counsel on March 1st, the very same day it filed its 10-K for fiscal year 2016.  Yahoo’s 10-K disclosed the contemporaneous dismissal as a “Management Change” resulting from its Board of Directors’ Independent Committee investigation into Yahoo’s immense 2013-2014 data breaches, which were not disclosed until 2016. Unlike prior mega-breaches, in which the head of IT or the CEO was let go (Target, Sony), Yahoo singled out its lead in-house lawyer for firing … without separation compensation of any kind.

Henceforth, whether fairly or not, March 1 will be known as In-house Counsel Data Security Awareness Day – because it’s now clearer than ever before that in-house lawyers must take a hands-on approach to breach response, breach response readiness, and data security generally.


Continue Reading

… wMan with starting pistol over a background of ready racersell, not quite that fast.  But nine minutes is pretty quick, as FTC researchers recently confirmed.

The FTC’s Office of Technology Research & Investigation (OTech) ran an experiment in April and May, posting made-up personally identifiable information in plain text on two different Internet paste sites.  The phony PII was consumer account information for 100 fictitious people, including name, address, phone number, email address, password, and payment means (credit card number, online payment account, or Bitcoin wallet).  Then, OTech waited to see what would happen, monitoring for access attempts on email and payment accounts, attempted credit card charges, and calls and texts received.

The results, and the speed of those results, were a surprise to all but the most jaded.  Here’s what OTech’s monitoring revealed:


Continue Reading

dominoes fallingSometimes one must look past the headlines (Target’s $18.5 million deal with the states) to see what’s truly important in effective data breach response.

Last week, in the Experian data breach litigation, the District Court denied plaintiffs’ motion to compel production of the forensic analysis report on the breach, prepared by Mandiant.  Why?  Because it was Experian’s law firm that retained Mandiant to perform the forensic analysis and prepare its report, in anticipation of litigation.  According to the court:

  • Jones Day hired Mandiant to assist the law firm in providing legal advice to the client Experian;
  • Mandiant’s report was based on server images that are independently discoverable, without the report;
  • only a summary, not the full report, was shared with Experian’s internal Incident Response Team; and
  • though Mandiant had in the past worked directly for Experian on other matters, this engagement was separate.

On this basis the court held that the report was protected work product, without even reaching the additional point of attorney/client privilege.

So what’s the big deal?  It’s this – in the heat of an unfolding security incident (in Experian’s case, impacting 15 million people), things move fast.  Really fast.  Victim companies scramble to understand what happened, when it happened, what must now be done, and by when. The what and when are of course important, but  so too are the who and how of effective breach response.  For example, a natural move under the gun is to have the infosec folks immediately bring in an outside security/forensics firm and turn them loose.  Sounds great … until litigation ensues, and all of the forensic firm’s analysis is fair game in discovery – the good, the bad, and the ugly.

This is a no-win situation, for both the unprepared and the semi-prepared:


Continue Reading