Dr. Lawrence WeedAmerican architect Louis Sullivan, who coined the iconic phrase “form ever follows function,” was flat wrong – at least when it comes to the relationship of what we do and how we capture it with data.  The reality is instead that the medium shapes the message, and that record-keeping alters the processes it records.  Need a current example?  One only has to consider how the President’s staccato bursts of tweets now drive public attention, media focus, and policy debates, both domestically and abroad.

But a more profound example is the life’s work of Dr. Lawrence Weed, who passed away last week at age 93.   Continue Reading With business processes and records, we have it backwards – function follows form

checklistIt’s a common complaint – most U.S. laws requiring data security never cough up the specifics of what must be done to comply. Unlike other areas of business regulation, data security requirements seem hopelessly vague:

  • Several states’ PII laws require businesses to implement and maintain “reasonable security procedures and practices” to protect PII from unauthorized access, destruction, use, modification, or disclosure.
  • Regulations under the Gramm-Leach-Bliley Act compel financial institutions to have a “reasonably designed”comprehensive information security program with administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of customer information.
  • FACTA regulations require that consumer report information be disposed of “by taking reasonable measures to protect against unauthorized access to or use of the information….”
  • HIPAA covered entities and business associates must address the security standards for ePHI in a way that protects against “reasonably anticipated threats or hazardsto ePHI security or integrity.
  • The FTC enforces reasonable data security under Section 5 of the FTC Act, which prohibits unfair and deceptive acts in commerce, without explicitly mentioning data security and without any supporting regulatory standards for specific data safeguards.

Obviously, we can’t just put “remember to have reasonable data security” in a compliance checklist or internal audit protocol, because “reasonable” tells us nothing concrete about what specific security controls are needed to be compliant.  So, why do these laws stop short of telling us specifically what to do?

Continue Reading Why don’t data security laws simply tell us what we need to do?

disk cleanupIn a previous post I suggested that Information Technology is really in a good position to help identify and clean up ROT (redundant, obsolete, and trivial information).  Sometimes, though, IT needs a helping hand to get the attention of those who can approve a budget for clean-up initiatives.  Here’s where Audit comes in.

Over the years, I’ve seen many information governance clean-up programs come to life in the wake of an expensive e-discovery effort, or an embarrassing and costly data breach.  Needless to say, such events draw the attention of the C-suite and boards of directors.  That attention usually translates into emergency funding and action to shut down e-mail retention, delete old files, and generally do what should have been done all along: better manage information.  Audits, whether external or internal, can serve the same function.

Continue Reading InfoSec Audit’s role in cleaning up ROT

Lawyer holding a target on his faceWhile preparing for an upcoming presentation for in-house lawyers on data security, I dusted off the events of three months ago, when Yahoo! Inc. unceremoniously fired its general counsel on March 1st, the very same day it filed its 10-K for fiscal year 2016.  Yahoo’s 10-K disclosed the contemporaneous dismissal as a “Management Change” resulting from its Board of Directors’ Independent Committee investigation into Yahoo’s immense 2013-2014 data breaches, which were not disclosed until 2016. Unlike prior mega-breaches, in which the head of IT or the CEO was let go (Target, Sony), Yahoo singled out its lead in-house lawyer for firing … without separation compensation of any kind.

Henceforth, whether fairly or not, March 1 will be known as In-house Counsel Data Security Awareness Day – because it’s now clearer than ever before that in-house lawyers must take a hands-on approach to breach response, breach response readiness, and data security generally.

Continue Reading In-house Counsel in the Cybersecurity Crosshairs

… wMan with starting pistol over a background of ready racersell, not quite that fast.  But nine minutes is pretty quick, as FTC researchers recently confirmed.

The FTC’s Office of Technology Research & Investigation (OTech) ran an experiment in April and May, posting made-up personally identifiable information in plain text on two different Internet paste sites.  The phony PII was consumer account information for 100 fictitious people, including name, address, phone number, email address, password, and payment means (credit card number, online payment account, or Bitcoin wallet).  Then, OTech waited to see what would happen, monitoring for access attempts on email and payment accounts, attempted credit card charges, and calls and texts received.

The results, and the speed of those results, were a surprise to all but the most jaded.  Here’s what OTech’s monitoring revealed:

Continue Reading How quickly is stolen PII fraudulently used? Faster than you can tweet “covfefe”

dominoes fallingSometimes one must look past the headlines (Target’s $18.5 million deal with the states) to see what’s truly important in effective data breach response.

Last week, in the Experian data breach litigation, the District Court denied plaintiffs’ motion to compel production of the forensic analysis report on the breach, prepared by Mandiant.  Why?  Because it was Experian’s law firm that retained Mandiant to perform the forensic analysis and prepare its report, in anticipation of litigation.  According to the court:

  • Jones Day hired Mandiant to assist the law firm in providing legal advice to the client Experian;
  • Mandiant’s report was based on server images that are independently discoverable, without the report;
  • only a summary, not the full report, was shared with Experian’s internal Incident Response Team; and
  • though Mandiant had in the past worked directly for Experian on other matters, this engagement was separate.

On this basis the court held that the report was protected work product, without even reaching the additional point of attorney/client privilege.

So what’s the big deal?  It’s this – in the heat of an unfolding security incident (in Experian’s case, impacting 15 million people), things move fast.  Really fast.  Victim companies scramble to understand what happened, when it happened, what must now be done, and by when. The what and when are of course important, but  so too are the who and how of effective breach response.  For example, a natural move under the gun is to have the infosec folks immediately bring in an outside security/forensics firm and turn them loose.  Sounds great … until litigation ensues, and all of the forensic firm’s analysis is fair game in discovery – the good, the bad, and the ugly.

This is a no-win situation, for both the unprepared and the semi-prepared:

Continue Reading In breach response, who and how are just as important as what and when

Ransomware - Ransomnote on ComputerI hope you were not affected by last Friday’s WannaCry ransomware hack.  If you were, you are unfortunately part of the biggest on-line extortion scheme seen to date.  And it may not be over, as new variants are appearing, so although you may have dodged the bullet for now, experts suggest that this attack is “nothing compared to what might be coming.”  So who are the lucky ones whose data is safe?
Continue Reading Cry, Baby, Cry

Verizon 2017 DBIRI always look forward to Verizon’s annual Data Breach Investigations Report.  Verizon dropped the 2017 DBIR last week, and for the 10th year in a row it cuts through the confusing landscape of security incidents and data breaches with analysis, alacrity … and yes, attitude (in what other report can you find a paragraph heading like “Tall, Dark, and Ransom”?).

The 2017 DBIR distills global information from 65 collectors of incident and breach data, analyzing 42,120 security incidents and 1,925 breaches that occurred during 2016.  The threat environment changes each year, but one of the reasons I value the DBIR is that it shines a light on a few key things that don’t change.  Here are four central aspects of data security that endure – and which we forget at our peril:

Continue Reading Yipee – Verizon’s 2017 DBIR has arrived!

Adding piece to jigsaw puzzleEffective June 16, New Mexico will be the 48th state with a PII data breach notification statute.  New Mexico joins the vast majority of states, plus the District of Columbia, Puerto Rico, Guam, and the U.S. Virgin Islands, in requiring notice to affected residents of PII security breaches – as of June, only Alabama and South Dakota will lack such a law.

Like other states’ statutes, New Mexico’s new law is triggered by the residency of the affected individuals, and so companies across the country with PII of New Mexico residents must now fold the New Mexico requirements into both their PII policy definitions and their breach response protocols.

So, how does New Mexico’s new statute fit into our perplexing puzzle of PII breach notification laws?

Continue Reading America’s great – New Mexico makes 48

When Earth Day rolls around each year, I can’t heEarth in human handslp but think of the picnic scene from Mad Men.  After Don Draper chucks his empty beer can into the pond, Betty snaps the blanket, dumping their litter across the grass, before trundling the kids off to the family car (12 MPG, leaded gas, with no emissions control).

Mad Men‘s magic was culture clash, the shocking contrast between the oblivious then – sexism, homophobia, humans as ashtrays – and our enlightened now.  What makes the picnic scene so memorable is the gobsmacking environmental thoughtlessness of that era, in which the only things green were money and envy.

And my, how far we’ve come.  We reduce, reuse, and recycle. Some of us compost, and others glare at the poor souls who still occasionally litter.  We spend extra money for energy-efficient vehicles and appliances.  We tend to buy local and organic, and we worry about chemicals in our food and water.  Most folks are concerned about climate change and believe we need to change human behavior to slow it.  In short, we devote significant thought, time, effort, and resources to be environmentally responsible.

At the same time, we remain completely oblivious to the swirling plumes of data exhaust we emit every day, and the toxic accumulations of data in the landfills of our devices, servers, and cloud accounts.  When it comes to data pollution, guess what – we’re Don and Betty.

Continue Reading Earth Day and data pollution